You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Schout <ms...@gkg.net> on 2007/08/03 15:03:17 UTC
Re: Greeting card
Rocco Scappatura wrote:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
All of the ones I have received have a url with a numeric ip, followed
by usually a 32 character string in the url (MD5 hash?).
Here is my rule that traps them. I have not seen any get through after
this:
body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
describe LOCAL_POSTCARD_URL Body contains postcard scam url
score LOCAL_POSTCARD_URL 3.0
Regards,
Michael Schout
Re: Greeting card
Posted by Michael Schout <ms...@gkg.net>.
Duane Hill wrote:
> There is already a test SA does for a dotted-decimal IP in a URL:
Yeah, I was afraid of false positives by raising the score of that rule.
So I made my own rule that only matches these specific urls (with the
MD5 sum) instead.
Regards,
Michael Schout
Re: Greeting card
Posted by Michael Schout <ms...@gkg.net>.
Duane Hill wrote:
> There is already a test SA does for a dotted-decimal IP in a URL:
Yeah, I was afraid of false positives by raising the score of that rule.
So I made my own rule that only matches these specific urls (with the
MD5 sum) instead.
Regards,
Michael Schout
Re: Greeting card
Posted by Duane Hill <d....@yournetplus.com>.
On Fri, 3 Aug 2007 at 08:03 -0500, mschout@gkg.net confabulated:
> Rocco Scappatura wrote:
>> It is possible to block the spam sent by GreetingCards.com which invites
>> the receiver to access an URL and browse the ecard?
>
> All of the ones I have received have a url with a numeric ip, followed
> by usually a 32 character string in the url (MD5 hash?).
>
> Here is my rule that traps them. I have not seen any get through after
> this:
>
> body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
> describe LOCAL_POSTCARD_URL Body contains postcard scam url
> score LOCAL_POSTCARD_URL 3.0
There is already a test SA does for a dotted-decimal IP in a URL:
NORMAL_HTTP_TO_IP
I have its score set to 2.5. It appears the default score is .001.
-------
_|_
(_| |
Re: Greeting card
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 3 Aug 2007, Michael Schout wrote:
> Here is my rule that traps them. I have not seen any get through
> after this:
>
> body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
> describe LOCAL_POSTCARD_URL Body contains postcard scam url
> score LOCAL_POSTCARD_URL 3.0
That's a useful general rule. Here's a revision as a URI rule rather
than a BODY rule:
describe DQ_URI_ONLY_ARGS Dotted-Quad URI with only CGI arguments
uri DQ_URI_ONLY_ARGS m'^https?://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
I've added this into
http://www.impsec.org/~jhardin/antispam/postcards.cf too.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
----------------------------------------------------------------------
Tomorrow: The 272nd anniversary of John Peter Zenger's acquittal