On 12/12/2012 15:38, Benny Pedersen wrote:
echo "pisem.ru" | sigtool --hex-dump >hex.1
echo "example.org" | sigtoo --hex-dump >hex.2
join hex.1 and hex.2 into a logical or signature so it is just one
signature, then if there is more toplevel spam domain, add this as one
more hex.x to the logic
Tom Kinghorn skrev den 12-12-2012 14:19:
the .tld also changes between .ru & .su
make it a logical signature where it match all domains that you see
spamming, that will be one sigture for this spammer :)
echo "pisem.ru" | sigtool --hex-dump >hex.1
echo "example.org" | sigtoo --hex-dump >hex
On 12/12/2012 15:19, Tom Kinghorn wrote:
_
Thanks for the response.
The hostname.domainname part is randomized, so it would need to be a
wildcard.
1 constant is that the domain part (in this case pisem) always seems
to be 5 letters.
the .tld also changes
On 12/12/2012 15:10, Benny Pedersen wrote:
might be to much wildcard
try make signature match *.pisem.ru and hope it solves it
___
Thanks for the response.
The hostname.domainname part is randomized, so it would need to be a
wildcard.
1 constan
Tom Kinghorn skrev den 12-12-2012 13:54:
However, it returns malformed database.
might be to much wildcard
try make signature match *.pisem.ru and hope it solves it
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http:
Good afternoon list.
we have been getting bombareded by spam with a single link to random .ru
websites
I have tried creating a signature to match http://hostname.domainname.ru
like /http://odnocw4.pisem.ru/
e.g
687474703a2f2f*2e*2e7275 <<<
http://{WILDCARD_ANY_STRING}.{WILDCARD_ANY_STRING
