Re: Rule to detect mailsploit

Wed, 06 Dec 2017 03:29:22 -0800 

I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
 #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit https://www.mailsploit.com/index 

 #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit https://www.mailsploit.com/index 
tflags   __KAM_MAILSPLOIT2    multiple maxhits=2
meta            KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2)) describe        KAM_MAILSPLOIT  Mail triggers known exploits per mailsploit.com 
score           KAM_MAILSPLOIT  10.0

Regards,
KAM

Reply via email to