Skip wrote:
uri URI_EXE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)(?:\W{0,20}$|\?)/i
WARNING: quickly tested (and only with tunderbird).
This will also catch things like "foo.exe- blah blah" and "foo.exe!!!
blah blah". Testing with TB shows that it ignores "trailing
punctutation".
Wouldn't
uri URI_EXE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)(?:\W{0,20}$|\?)/i
WARNING: quickly tested (and only with tunderbird).
This will also catch things like "foo.exe- blah blah" and "foo.exe!!!
blah blah". Testing with TB shows that it ignores "trailing
punctutation".
Wouldn't it be better
Skip wrote:
mouss wrote:
Jason Haar wrote:
Karsten Bräckelmann wrote:
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
That won't stop "blah.exe?token=cookie". Web servers will still
return "blah.exe" (and the attacker can trackback who clicked on it
too that way! ;-)
How ab
mouss wrote:
Jason Haar wrote:
Karsten Bräckelmann wrote:
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
That won't stop "blah.exe?token=cookie". Web servers will still
return "blah.exe" (and the attacker can trackback who clicked on it
too that way! ;-)
How about
uri EXE
On Thu, 2008-08-28 at 14:18 +1200, Jason Haar wrote:
> Karsten Bräckelmann wrote:
> >
> > uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
>
> That won't stop "blah.exe?token=cookie". Web servers will still return
> "blah.exe" (and the attacker can trackback who clicked on it too that
Jason Haar wrote:
Karsten Bräckelmann wrote:
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
That won't stop "blah.exe?token=cookie". Web servers will still return
"blah.exe" (and the attacker can trackback who clicked on it too that
way! ;-)
How about
uri EXECUTABLE /\.(?
Karsten Bräckelmann wrote:
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
That won't stop "blah.exe?token=cookie". Web servers will still return
"blah.exe" (and the attacker can trackback who clicked on it too that
way! ;-)
How about
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vb
On Wed, 2008-08-27 at 21:00 +, Duane Hill wrote:
> On Wed, 27 Aug 2008, Skip wrote:
> > Tell me, where did you get the SG_EXECUTABLE_URI rule? I don't have it in
> > my
> > installation.
> It was a rule that was posted to the list close to a week ago by Phil
> Randal (thread subject: e gr
On Wed, 27 Aug 2008, Skip wrote:
Scored well here:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10)
X-Spam-Level: x
X-Spam-Status: Reqd:5.0 Hits:17.1 Learn:disabled Tests:JM_SOUGHT_2=4,
JM_SOUGHT_3=4,SG_EXECUTABLE_URI=3,UNPARSEABLE_RELAY=0.001,
Scored well here:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10)
X-Spam-Level: x
X-Spam-Status: Reqd:5.0 Hits:17.1 Learn:disabled Tests:JM_SOUGHT_2=4,
JM_SOUGHT_3=4,SG_EXECUTABLE_URI=3,UNPARSEABLE_RELAY=0.001,
URIBL_AB_SURBL=1.613,URIBL_BLACK=1
On Wed, 27 Aug 2008, Skip wrote:
http://pastebin.com/m5b376775
I have the botnet rules enabled and they trigger on a lot of my spam, as
well as the sought rules. But not this message. This spam however only
triggered two rules, however I feel it should have triggered more.
Yeah, it passed
On Wed, 27 Aug 2008, Skip wrote:
http://pastebin.com/m5b376775
I have the botnet rules enabled and they trigger on a lot of my spam, as well
as the sought rules. But not this message. This spam however only triggered
two rules, however I feel it should have triggered more. Yeah, it passed
http://pastebin.com/m5b376775
I have the botnet rules enabled and they trigger on a lot of my spam, as
well as the sought rules. But not this message. This spam however only
triggered two rules, however I feel it should have triggered more.
Yeah, it passed my spam threshold and was caught,
13 matches
Mail list logo
