On Fri, 3 Aug 2007, Michael Schout wrote:
> Here is my rule that traps them. I have not seen any get through
> after this:
>
> body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
> describe LOCAL_POSTCARD_URL Body contains postcard scam url
> score LOCAL_POSTCARD_URL 3.0
That's a useful general rule. Here's a revision as a URI rule rather
than a BODY rule:
describe DQ_URI_ONLY_ARGS Dotted-Quad URI with only CGI arguments
uri DQ_URI_ONLY_ARGS m'^https?://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
I've added this into
http://www.impsec.org/~jhardin/antispam/postcards.cf too.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
----------------------------------------------------------------------
Tomorrow: The 272nd anniversary of John Peter Zenger's acquittal
