'R: ramsonware URI list'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    R: ramsonware URI list
From:       Nicola Piazzi <Nicola.Piazzi () gruppocomet ! it>
Date:       2016-10-14 9:13:09
Message-ID: 86077fb647da42db96d10e6c7a82c44b () gruppocomet ! it
[Download RAW message or body]

Bot not all RW_URLBL.txt are contained in RW_DOMBL.txt and viceversa

For example 25z5g623wpqpdwis.onion.to doesn't have match in RW_URLBL.txt

And if I extract from  http://01ad681.netsolhost.com/7j0jlq3 the domain \
01ad681.netsolhost.com is not in RW_DOMBL.txt

?!




Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.   +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


-----Messaggio originale-----
Da: Axb [mailto:axb.lists@gmail.com] 
Inviato: venerdì 14 ottobre 2016 10:41
A: users@spamassassin.apache.org
Oggetto: Re: ramsonware URI list

On 10/14/2016 10:30 AM, Nicola Piazzi wrote:
> ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file link :
> https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
> 
> It is very simple to make a shell script that check file changes every hour, \
> download if there is a new one, and write a rule .cf using data contained in the \
> file. 
> But hor to write a rule ?
> We have more than 4000 URI in the file, we can do a single rule like this \
> separating URIs with | : 
> uri URIRAMS 
> /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\
> /hjy93JNBasdas/ describe URIRAMS  Match a Ramsonware URI score URIRAMS 
> 5.00
> 
> or is better to separe each URI :
> 
> uri __URIRAMS00001 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/
> uri __URIRAMS00002 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/
> meta URIRAMS (__URIRAMS00001 | __URIRAMS00002) describe URIRAMS  Match 
> a Ramsonware URI score URIRAMS 5.00
> 
> Obviously this example is related to 2 entries, and we have 4000 entries here .....
> Any suggestion ?

performacewise best is to use a domain list in a local instance of rbldnsd. Sadly \
abuse.ch only publishes subdomain.example.net instead of example.net so you'd have to \
do some scripted editing to remove the subdomain.

if you want to use static rules, base them on \
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt,

use __URI_BLAH and meta them together.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic