Bot not all RW_URLBL.txt are contained in RW_DOMBL.txt and viceversa For example 25z5g623wpqpdwis.onion.to doesn’t have match in RW_URLBL.txt
And if I extract from http://01ad681.netsolhost.com/7j0jlq3 the domain 01ad681.netsolhost.com is not in RW_DOMBL.txt ?! Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -----Messaggio originale----- Da: Axb [mailto:axb.li...@gmail.com] Inviato: venerdì 14 ottobre 2016 10:41 A: users@spamassassin.apache.org Oggetto: Re: ramsonware URI list On 10/14/2016 10:30 AM, Nicola Piazzi wrote: > ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file > link : > https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt > > It is very simple to make a shell script that check file changes every hour, > download if there is a new one, and write a rule .cf using data contained in > the file. > > But hor to write a rule ? > We have more than 4000 URI in the file, we can do a single rule like this > separating URIs with | : > > uri URIRAMS > /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\ > /hjy93JNBasdas/ describe URIRAMS Match a Ramsonware URI score URIRAMS > 5.00 > > or is better to separe each URI : > > uri __URIRAMS00001 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/ > uri __URIRAMS00002 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/ > meta URIRAMS (__URIRAMS00001 | __URIRAMS00002) describe URIRAMS Match > a Ramsonware URI score URIRAMS 5.00 > > Obviously this example is related to 2 entries, and we have 4000 entries here > ..... > Any suggestion ? performacewise best is to use a domain list in a local instance of rbldnsd. Sadly abuse.ch only publishes subdomain.example.net instead of example.net so you'd have to do some scripted editing to remove the subdomain. if you want to use static rules, base them on https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt, use __URI_BLAH and meta them together.