看板FB_security
标 题Re: How do fix a good solution against spam..
发信站NCTU CSIE FreeBSD Server (Thu May 13 21:00:07 2004)
转信站ptt!FreeBSD.csie.NCTU!not-for-mail
--ELM1084480747-8674-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
take a look here :
http://www.merchantsoverseas.com/wwwroot/gorilla
then let's try the attached script and patch which may not be up to date.
PS : I don't use it since my machine is too slow and this makes mimedefang
to give up (timeout) to often.
Cyrille Lefevre
--
mailto:
[email protected]
--ELM1084480747-8674-0_
Content-Transfer-Encoding: 8bit
Content-Type: text/x-patch; charset=ISO-8859-15
Content-Disposition: attachment; filename=sa_rules.patch
Content-Description:
diff -u orig/sa_body.cf sa/sa_body.cf
--- orig/sa_body.cf Thu Feb 19 14:56:29 2004
+++ sa/sa_body.cf Sat Jan 31 01:57:22 2004
@@ -4,21 +4,20 @@
# submitted by Yorkshire Dave.
-> "Dear Fellow Opportunist" (my favorite ;-)
+# "Dear Fellow Opportunist" (my favorite ;-)
body L_OPPORT /\bfellow.opportunist/i
describe L_OPPORT fellow opportunist
-> "You need to act now or you will miss out on a great offer"
+# "You need to act now or you will miss out on a great offer"
body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i
describe L_ACTMISS act now or miss
-body L_MISSOFFER
-/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i
+body L_MISSOFFER /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i
describe L_MISSOFFER miss great offer
-> "CASH FOREVER"
+# "CASH FOREVER"
body L_CASHFOREVER /\bcash.{1,3}forever\b/
describe L_CASHFOREVER cash forever
@@ -419,8 +418,7 @@
# The following rules submitted by Kai MacTane.
-body HIDDEN_VIAGRA
-/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i
+body HIDDEN_VIAGRA /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i
describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra"
score HIDDEN_VIAGRA 2.00
@@ -1011,7 +1009,7 @@
describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting a career back on track
score CAREER_BACK_ON_TRACK 3 3 3 3
-raw 123X456 /123x456/i
+rawbody 123X456 /123x456/i
describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E worm
score 123X456 99 99 99 99
diff -u orig/sa_header_other.cf sa/sa_header_other.cf
--- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004
+++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004
@@ -9,8 +9,8 @@
header HINET Received =~ /bHINET-IP/i
describe HINET Received line contains HINET-IP (common spam gate from pacrim)
-header TO-EVERYONE To:addr =~ /every(?:one|body)/i
-describe TO-EVERYONE To: everyone or everybody
+header TO_EVERYONE To:addr =~ /every(?:one|body)/i
+describe TO_EVERYONE To: everyone or everybody
# The following rules submitted by Daniel Bird.
@@ -97,27 +97,27 @@
score L_f_Refi 0.4
# Spamsign in misc headers
-Header L_hR_NOREPLY Return-path =~ /<>/
+header L_hR_NOREPLY Return-path =~ /<>/
describe L_hR_NOREPLY Return path is set to empty (common for bounces) (RM)
score L_hR_NOREPLY 1.1
-Header L_hr_clkheremail Received =~ /clkheremail\.com/
+header L_hr_clkheremail Received =~ /clkheremail\.com/
describe L_hr_clkheremail Spam passed through clkheremail.com relay (RM)
score L_hr_clkheremail 3.1
-Header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i
+header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i
describe L_hr_HeloIP Received has helo=IP - may be valid DSL router w/nat - may be spam (RM)
score L_hr_HeloIP 0.5
-Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/
+header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/
describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM)
score L_hx_PSSBulk 1.1
-Header L_hx_XaM3API exists:X-XaM3-API-Version
+header L_hx_XaM3API exists:X-XaM3-API-Version
describe L_hx_XaM3API X-XaM3-API-Version header found, often spamsign (RM)
score L_hx_XaM3API 1.1
-Header L_hx_JLH exists:X-JLH
+header L_hx_JLH exists:X-JLH
describe L_hx_JLH X-JLH header found, possible spamsign (RM)
score L_hx_JLH 1.1
diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf
--- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004
+++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004
@@ -27,59 +27,59 @@
# The following rules submitted by Robert Menschel.
# Spamsign subjects
-Header L_s_casino Subject =~ /c[a\@]sin[o0]/i
+header L_s_casino Subject =~ /c[a\@]sin[o0]/i
describe L_s_casino Subject mentions a casino (RM)
score L_s_casino 1.1
-Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i
+header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i
describe L_s_CopyDVD Subject mentions copying DVDs (RM)
score L_s_CopyDVD 3.1
-Header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i
+header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i
describe L_s_Drugs Subject mentions known spam subject (RM)
score L_s_Drugs 2.1
-Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i
+header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i
describe L_s_GetPaid Subject mentions getting paid for something (RM)
score L_s_GetPaid 1.1
-Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i
+header L_s_HelpInvest Subject =~ /help.{1,10}invest/i
describe L_s_HelpInvest Subject mentions help in investing something (RM)
score L_s_HelpInvest 1.1
-Header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i
+header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i
describe L_s_MaskedWords1 masked spam word(s) in subject (RM)
score L_s_MaskedWords1 9.1
-Header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i
+header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i
describe L_s_MaskedWords2 masked spam word(s) in subject (RM)
score L_s_MaskedWords2 9.1
-Header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i
+header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i
describe L_s_MaskedWords3 masked spam word(s) in subject (RM)
score L_s_MaskedWords3 9.1
-Header L_s_MaskedWords4 Subject =~ /5emin|ch[赨@]rge|佒緉|pen1s/i
+header L_s_MaskedWords4 Subject =~ /5emin|ch[赨@]rge|佒緉|pen1s/i
describe L_s_MaskedWords4 masked spam word(s) in subject (RM)
score L_s_MaskedWords4 7.1
-Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/
+header L_s_MaskedWordsC Subject =~ /reaI|excIusive/
describe L_s_MaskedWordsC masked spam word(s) in subject - case sensitive (RM)
score L_s_MaskedWordsC 9.1
-Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i
+header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i
describe L_s_PleaseRead Subject includes request to please read the message (RM)
score L_s_PleaseRead 0.6
-Header L_s_profile Subject =~ /I\ saw\ your\ profile/i
+header L_s_profile Subject =~ /I\ saw\ your\ profile/i
describe L_s_profile Subject mentions your profile (RM)
score L_s_profile 1.1
-Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i
+header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i
describe L_s_porn Subject seems to be about porn (RM)
score L_s_porn 2.1
-Header L_s_Tax Subject =~ /T[a\@]x/i
+header L_s_Tax Subject =~ /T[a\@]x/i
describe L_s_Tax Subject mentions taxes (RM)
score L_s_Tax 1.1
diff -u orig/sa_meta.cf sa/sa_meta.cf
--- orig/sa_meta.cf Thu Feb 19 14:56:29 2004
+++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004
@@ -9,9 +9,11 @@
#Check for a beginning HTML tag <HTML>
rawbody __MK_HTML_TAG_START /\<html/i
+describe <html
#Check for a closing HTML tag </html>
rawbody __MK_HTML_TAG_END /\<\/html\>/i
+describe </html>
#Check to see if the HTML message is made correctly. Seeing a lot of SPAM that isn't
meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START && !__MK_HTML_TAG_END
@@ -102,8 +104,7 @@
header __THEBAT_UA User-Agent =~ /The Bat/
meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID )
-describe L_FORGED_MUA_THEBAT Forged message pretending to be from the
-bat!
+describe L_FORGED_MUA_THEBAT Forged message pretending to be from the bat!
#spewing virus reports to forged sender addresses is spamming, talking
# about them on mailing lists isn't.
@@ -111,7 +112,8 @@
body __VIRUS_WARNING_FWD /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is
body __VIRUS_WARNING_REV /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is
body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i
-meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner
+meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO))
+describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner
# The following rules were submitted by Sandy S. (The last S is for Secret!)
diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf
--- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004
+++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004
@@ -223,7 +223,7 @@
rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/
describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found.
-score MY_ONE_CHAR_SCRIPT .33
+score MY_ONECHAR_SCRIPT .33
rawbody MY_THISIS /this is spam/i
describe MY_THISIS They said this is spam themselves!
diff -u orig/sa_uri.cf sa/sa_uri.cf
--- orig/sa_uri.cf Thu Feb 19 14:56:29 2004
+++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004
@@ -358,8 +358,7 @@
uri MY_BLUETABS /fastbluetabs\.com/i
score MY_BLUETABS 5.000
-describe MY_BLUETABS Message contains a link or email address to
-fastbluetabs.com
+describe MY_BLUETABS Message contains a link or email address to fastbluetabs.com
uri MY_CERTREWARDS /certrewards\.com/i
score MY_CERTREWARDS 5.000
--ELM1084480747-8674-0_
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "
[email protected]"
--ELM1084480747-8674-0_--