[prev in list] [next in list] [prev in thread] [next in thread]
List: spamassassin-users
Subject: R: ramsonware URI list
From: Nicola Piazzi <Nicola.Piazzi () gruppocomet ! it>
Date: 2016-10-14 9:13:09
Message-ID: 86077fb647da42db96d10e6c7a82c44b () gruppocomet ! it
[Download RAW message or body]
Bot not all RW_URLBL.txt are contained in RW_DOMBL.txt and viceversa
For example 25z5g623wpqpdwis.onion.to doesn't have match in RW_URLBL.txt
And if I extract from http://01ad681.netsolhost.com/7j0jlq3 the domain \
01ad681.netsolhost.com is not in RW_DOMBL.txt
?!
Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel. +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it
-----Messaggio originale-----
Da: Axb [mailto:axb.lists@gmail.com]
Inviato: venerdì 14 ottobre 2016 10:41
A: users@spamassassin.apache.org
Oggetto: Re: ramsonware URI list
On 10/14/2016 10:30 AM, Nicola Piazzi wrote:
> ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file link :
> https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
>
> It is very simple to make a shell script that check file changes every hour, \
> download if there is a new one, and write a rule .cf using data contained in the \
> file.
> But hor to write a rule ?
> We have more than 4000 URI in the file, we can do a single rule like this \
> separating URIs with | :
> uri URIRAMS
> /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\
> /hjy93JNBasdas/ describe URIRAMS Match a Ramsonware URI score URIRAMS
> 5.00
>
> or is better to separe each URI :
>
> uri __URIRAMS00001 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/
> uri __URIRAMS00002 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/
> meta URIRAMS (__URIRAMS00001 | __URIRAMS00002) describe URIRAMS Match
> a Ramsonware URI score URIRAMS 5.00
>
> Obviously this example is related to 2 entries, and we have 4000 entries here .....
> Any suggestion ?
performacewise best is to use a domain list in a local instance of rbldnsd. Sadly \
abuse.ch only publishes subdomain.example.net instead of example.net so you'd have to \
do some scripted editing to remove the subdomain.
if you want to use static rules, base them on \
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt,
use __URI_BLAH and meta them together.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic