It seems from the web site, one can use ClamAV and SaneSecurity to add extra signatures. Would it not be more efficient? http://sanesecurity.com/usage/signatures/
-----Original Message----- From: Axb [mailto:axb.li...@gmail.com] Sent: 02 September 2015 09:55 To: users@spamassassin.apache.org Subject: Re: URIDNSBL but with full URL On 09/02/15 10:44, Reindl Harald wrote: > > > Am 02.09.2015 um 10:23 schrieb Axb: >> On 09/02/15 09:51, Olivier Nicole wrote: >>> Hi, >>> >>> I am looking at malware patrol, but they offer a list of over 300,000 >>> rules, that is way too big. >>> >>> So I was considering using it in a URIDNSBL type of way, but including >>> the full URL, not only the host part. It should be able to accept things >>> like foo.example.com:81/directory/foo?something >>> >>> Does that exist already? >> >> that doesn't exist, publicly... >> >> There are many reasons why running this isn't trivial either. >> >> - tracking IDs/unique identifiers in URLs >> - *can* cause massive scanning overhead >> - depending on special cases, DNS spec limitations. >> etc, etc.. >> >> What problem are you trying to solve which cannot be solved with "known" >> methods? > > on example would be a URL for masshosting / freehosting in the way of > http://hosterdomain/username/ where URIBL over the whole domain is not > correct just because one user account was hacked and malware placed there "yes & no & maybe" because "/username/" will never notice "/hosterdomain/" is responsible and *may* notice and act if blacklisted > > in general it would make sense at least be specific to subdomains and > the first folder in some cases on the listing side, drawback would be > more URIBL requests for each possible variant believe me, don't underestimate the requirements to do this.
smime.p7s
Description: S/MIME cryptographic signature
