Hi Thomas
I see this is now coming up
Error: Worker_10000: read timeout at
/usr/local/lib/perl5/site_perl/5.10.1/LWP/Protocol/http.pm line 426. at
/usr/local/lib/perl5/site_perl/5.10.1/LWP/UserAgent.pm line 844.
Dale
----- Original Message -----
From: "Thomas Eckardt" <thomas.ecka...@thockar.com>
To: "Dale" <dbr...@columbusinternational.com>; "ASSP development mailing
list" <assp-test@lists.sourceforge.net>
Sent: Friday, September 10, 2010 8:00 AM
Subject: Antwort: Re: [Assp-test] Blocking the new email virus
> This variant is more exact (and tested !),
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:\=(?:\015?\012|\015))?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:\=(?:\015?\012|\015))?(?:(?:[\=\%]2[fF]|\&\#0?47\;?|\/)(?:\=(?:\015?\012|\015))?){2}(?:[\x20-\x7E](?:\=(?:\015?\012|\015))?){10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:\=(?:\015?\012|\015))?(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
> because the links could be very long - the html lines will be terminated
> (?:\=(?:\015?\012|\015)) at any possition of the text - like here:
>
> <html><head><style type=3D"text/css"><!-- DIV {margin:0px;}
> --></style></he=
> ad><body><div style=3D"font-family:times new roman, new york, times,
> serif;=
> font-size:12pt"><DIV><A href=3D"
> http://www.t-online.de/test/haouse/woister.=
> scr">http://www.t-online.de/test/haouse/woister.scr
> </A></DIV>=0A<DIV> =
> </DIV>=0A<DIV></DIV></div><br></body></html>
>
> Please switch off the regex optimizer by writing 'a-d-n-o-r' (without the
> quotes) as first line in file. This regex is too complex to get optimized.
>
> Thomas
>
>
>
> Von: "Dale" <dbr...@columbusinternational.com>
> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
> Datum: 10.09.2010 15:19
> Betreff: Re: [Assp-test] Blocking the new email virus
>
>
>
>
> Hi Thomas
>
> Just to confirm, in file:files/bombdatare.txt I add in one line,
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
>
> Thanks
>
> Dale
>
>
>
>
> ----- Original Message -----
> From: "Thomas Eckardt" <thomas.ecka...@thockar.com>
> To: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
> Sent: Friday, September 10, 2010 1:13 AM
> Subject: Re: [Assp-test] Blocking the new email virus
>
>
>> To detect very bad URL's, I recommend to use 'a bit more' extended
>> regexes.
>>
>>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}
>> [^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?i:scr)
>>
>>
>> The last part (?i:scr) could be expanded to your needs, to detect also
>> other extensions like (?i:scr|com|bat|exe) - or you may use the default
>> 'bad attachment level 1 re'
>>
> (?i:ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)
>> for this part of the regex
>>
>> If you only want to detect the '.scr' - change this part to :
>>
> (?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>>
>>
>> The complete regex for the '.scr' case would be (all in one line!!!):
>>
>>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>>
>> This regex also detects the URL's if they are obfuscated using dec or
> hex
>> html tags.
>>
>> Use the regex in 'bombDataRe'.
>>
>> to show the regex in a more simple way:
>> (?:ht|f)tps?\:\/\/[^\x00-\x1F\x7F-\xFF]{10,}?\.scr
>> in words: (ht) or (f) followed by (tp) followed by (s or nothing)
> followed
>> by (://) followed by (at least 10 ASCII non CTL characters) followed by
>> (.) followed by (scr)
>> any single character is repesented by a term like:
>> (?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h) <--- this is the 'h'
>> which could be html-encoded hex 48 or 68 or decimal 72 or 104 or
> simply
>> the h or H
>>
>>>especially in ASSP
>>
>> there is nothing special in ASSP regexes - simply Perl .
>>
>> Thomas
>>
>>
>>
>>
>> Von: K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum: 10.09.2010 03:28
>> Betreff: [Assp-test] Blocking the new email virus
>>
>>
>>
>>
>> Looks like there's a new email worm going around that's becoming a
>> problem.
>>
>> *http://www.us-cert.gov/current/index.html#here_you_have_email_malware*<
>> http://www.us-cert.gov/current/index.html#here_you_have_email_malware>
>>
> http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/
>
>>
>>
> http://threatpost.com/en_us/blogs/new-email-worm-turns-back-clock-virus-attacks-090910
>
>>
>>
>>
>> Anyone have a regex to block these emails? It looks like they're links
>> that
>> appear to be a PDF but it's really a .scr file.
>>
>> Would:
>> http:\/\/[\w\.\/\-]{10,500}\.scr
>> work?
>>
>> I'm thinking this would block http:// followed by 10-500 letters,
> numbers,
>> underscore (\w), a dot (\.), a slash (\/) or a dash (\-) followed by
> .scr,
>> but I'm terrible with regex, especially in ASSP. Suggestions?
>>
> ------------------------------------------------------------------------------
>> Automate Storage Tiering Simply
>> Optimize IT performance and efficiency through flexible, powerful,
>> automated storage tiering capabilities. View this brief to learn how
>> you can reduce costs and improve performance.
>> http://p.sf.net/sfu/dell-sfdev2dev
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential,
> legally
>> privileged and protected in law and are intended solely for the use of
> the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>
>
> --------------------------------------------------------------------------------
>
>
>>
> ------------------------------------------------------------------------------
>> Automate Storage Tiering Simply
>> Optimize IT performance and efficiency through flexible, powerful,
>> automated storage tiering capabilities. View this brief to learn how
>> you can reduce costs and improve performance.
>> http://p.sf.net/sfu/dell-sfdev2dev
>
>
> --------------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful,
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance.
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
