Spamfilter updates / LOI worm

Post by **Syzop** » Thu Apr 01, 2004 4:03 am

From now on I'll mention here if we add a new rule...

Just added a rule for a new trojan presumably called LOI...
I was a bit suspicious about this report at first (it's April 1st after all), but just confirmed on a sandbox myself that it is real.. exploits an IE/mplayer vuln or something.

Code: Select all

spamfilter {
        regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
        target private;
        action block;
        reason "Infected by LOI trojan"; /* Name is still unsure */
};

Also >1 week ago (I think?) some rules were added for the NKie worm (matrix 2 blabla / stop spam blabla use this command / to get ops use this hack etc...)

codemastr · Post by **codemastr** » Thu Apr 01, 2004 4:19 am

I didn't test, but I'm 99% sure you need:

Code: Select all

regex ".*(http://jokes\.clubdepeche\.com)|(http://horny\.69sexy\.net)|(http://private\.a123sdsdssddddgfg\.com).*";

I think without it, it means "m or h" and "t or h" when the | is used. Like I said though, I didn't test.

Post by **Syzop** » Thu Apr 01, 2004 5:44 pm

don't think so... AFAIK a regex like 'alpha|beta' is an 'OR' for the word/whatever and not characters (I guess there's [] for that).
so 'Tux (ownz|rulez)' etc...

(tested it too)