I've got a couple of users getting 419 scams, and it looks like 20_advance_fee.cf has got most of the good stuff for finding these nasties. Unfortunately, it's only matching one of the sub-tests ( __FRAUD_DBI ).
If I wanted to extend it a bit, how should I go about it? Maybe create:
meta __ADVANCE_FEE_1 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB +
__FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP +
__FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT +
__FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF +
__FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG +
__FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA +
__FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR +
__FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN +
__FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC +
__FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT +
__FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 0 )
Then, create my new subtests and:
meta AE_ADVANCE_FEE (__ADVANCE_FEE_1 + __AE_FRAUD_1 + __AE_FRAUD_2...
>1)
Or would it be better to just overwrite ADVANCE_FEE_{2,3,4} with more
subtests?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
