On Fri, 5 Mar 2004, Loren Wilton wrote:
> This puppy just made it through. Other than feeding it to Bayes (which I
> have just done) and some misspellings of common drugz, there doesn';t seem
> to be a whole lot to go on here.
[snip..]
>
> ------=_NextPart_000_0017_42A8EEC1.D2772C42
> Content-Type: text/plain
> Content-Transfer-Encoding: 7bit
>
> Well well!
> Liberty is the right to choose, freedom is the result of that choice.
> Lwilton, looking for a place to purchase medicatiQoxn?
> Greatest ViagWyra and Cialydis
> Quick weight (hemispheroidal plyers) loss and anti-depressant meedication!
> Best cost on ValiuuGm and XanaNnx
> Best deals, 80 pcenert off!
> We ship wlordwide
>
> Here you will find it:
> http://individualizingly.selcydc.com/d13/index.php?id=d13
> You are completely anonymous!
[snip..]
> ------=_NextPart_000_0017_42A8EEC1.D2772C42
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4=2e0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=3dContent-Type content=3d"text/html; charset=3dwindows-1=
> 250">
> <META content=3d"MSHTML 6=2e00=2e2462=2e0000" name=3dGENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=3d#ffffff>
> <DIV>What's so good about it? :)<BR>The early bird gets the worm=2e</DIV>=
>
> <DIV><BR>Lwilton, looking for a place to get medicatitpon?<BR>Cheap ViagV=
> Cra and Cialvgis=2e<BR>
> Fast weight (nonenvious fantocine) loss and antidepressant medicatimfon!<=
> BR>Best price on Valiuatm and XanaLjx=2e<BR>
> Super deals, 80 pnceert off!<BR>We are able to ship wdrolwide<BR><BR>Here=
> you will find it:<BR><A=20
> href=3d"http://impertinent=2eselcydc=2ecom/d13/index=2ephp?id=3dd13";>http=
> ://selcydc=2ecom/d13/index=2ephp?id=3dd13</A><BR>You are really anonymou=
> s!</DIV>
try these 3 rules:
uri L_MEDS_SITE /\bselcydc\.com\b/i
describe L_MEDS_SITE Web site associated with bogus meds sales
score L_MEDS_SITE 3.0
body L_BOGUS_QP /\b=2e(?:com|biz|info|net)[:\/]\b/
describe L_BOGUS_QP Bogus QuotedPrintable encoding
score L_BOGUS_QP 0.4
body L_FAKE_MEDS_6 /\bYou are {1,2}(?:completely|really|truely) anonymous!/
describe L_FAKE_MEDS_6 Phrase assocaited with fake MED scam #6
score L_FAKE_MEDS_6 4.3
Note, do NOT make the L_BOGUS_QP regex case insensitive (IE no /i at
end of regex). "=2E" is valid QP encoding, "=2e" is not. As that could be
produced by anybody's brain-dead mail client, I don't hit it too hard
(just want to add 'little cuts' to this piece of trash ;).
Put them in your local.cf or other '.cf' file in your SA rules directory.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
