On Sat, 10 Nov 2012, Marc Perkel wrote:
On 11/10/2012 8:57 AM, John Hardin wrote:
How much are you seeing these in real traffic?
I'm seeing a lot of these. They are coming from stolen Yahoo accounts from
back when Yahoo leaked their data base. They appear to come from friends of
mine.
Oh, good (for certain values of "good"). I've added those rules to my
sandbox so maybe they will perform well enough to be published.
Can you refine it so that there has to be something like at least 4 upper
case characters in the URI to avoid false positives? For example.
http://WellsFargo.com ok
HttP: //WeLlSfaRgo.cOm not OK
Hrm. I'll have to think about that, that's fairly nontrivial.
If you are seeing specific domain names a lot then more rules like
URI_GOOG_MC could be written to catch them. Do they seem to concentrate on
some limited list of domain names (or variants like stuff containing
"google"), or are they all over the place? Feel free to contact me offlist
with a list of domain names and examples if they seem to be limited...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
Tomorrow: Veterans Day
