Hi there,
On Mon, 19 Sep 2011 Michael Orlitzky wrote:
On 09/16/11 11:53, G.W. Haywood wrote:
Is this one for Mr. Basford, or does it have wider implications?
...
An IP address is a number between 0 and 2^32 (more or less).
There are plenty of ways to represent them.
Unless it's an IPV6
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
detection) then you can surmise it is an attempt at
On 09/19/11 08:18, G.W. Haywood wrote:
Nah, after thirty-odd years I can do it in my head with dotted quads. :)
Yeah but I'll bet you imagine the bits still =)
But the point remains, this is a pretty obvious and easy target for
any scanner which is looking for malicious activity, so
On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
On 09/19/11 12:04, Bowie Bailey wrote:
He is not trying to match the IP address. He is trying to match an
unusual way of presenting the IP address that seems to occur primarily
in spam.
Whether this is something that should be done in ClamAV or would be
better done by something like
On 9/19/2011 12:16 PM, Michael Orlitzky wrote:
On 09/19/11 12:04, Bowie Bailey wrote:
He is not trying to match the IP address. He is trying to match an
unusual way of presenting the IP address that seems to occur primarily
in spam.
Whether this is something that should be done in ClamAV or
On Sep 19, 2011, at 12:04 PM, Bowie Bailey wrote:
On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are
On Mon, 2011-09-19 at 12:40 -0400, Bowie Bailey wrote:
On 9/19/2011 12:16 PM, Michael Orlitzky wrote:
On 09/19/11 12:04, Bowie Bailey wrote:
He is not trying to match the IP address. He is trying to match an
unusual way of presenting the IP address that seems to occur primarily
in spam.
On Mon, Sep 19, 2011 at 6:46 PM, Bernd Petrovitsch
be...@petrovitsch.priv.at wrote:
That's the whole problem as both are legal and correct (as in
RFC-compliant) form.
And you want to flag it as spam?
Regardless of form I would call it spam since I've never seen legit
numeric links. I've had my
On 9/19/2011 12:46 PM, Bernd Petrovitsch wrote:
On Mon, 2011-09-19 at 12:40 -0400, Bowie Bailey wrote:
On 9/19/2011 12:16 PM, Michael Orlitzky wrote:
On 09/19/11 12:04, Bowie Bailey wrote:
He is not trying to match the IP address. He is trying to match an
unusual way of presenting the IP
On Sep 19, 2011, at 19:04, Bowie Bailey bowie_bai...@buc.com wrote:
On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore
On 9/19/11 8:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
detection)
On 9/19/2011 2:33 PM, Török Edwin wrote:
Try adding this to a local.pdb file in your dbdir (untested):
R:[0-9]{1,10}(\.[0-9]{1,10}){0,2}:.+
Of course you can improve the regex to detect hexadecimal encoded numbers,
etc.
My IP v4 v6 regex from the CCEE patchset.
On 09/16/11 11:53, G.W. Haywood wrote:
The string 11064393 concatenated after the string 95. is converted
without fuss by browsers to the IP address of the criminal server.
I use most of the third party databases available for ClamAV. Using
clamscan I scanned the text in its original form
On 9/18/11 6:41 PM, Michael Orlitzky wrote:
On 09/16/11 11:53, G.W. Haywood wrote:
The string 11064393 concatenated after the string 95. is converted
without fuss by browsers to the IP address of the criminal server.
I use most of the third party databases available for ClamAV. Using
Hi there,
At about 1300 GMT today one of my mailservers rejected a message as
being an obvious scam. As it happened I took a look at it. It's a
typical bank phishing attempt.
Here's a part of the mail which includes a part of the link which the
reader is invited to visit. Obviously I've
16 matches
Mail list logo