These are old archives. They are kept for historic purposes only.
Jay
Posts: 11 Joined: Sat Mar 06, 2004 2:10 am
Post
by Jay » Tue Mar 09, 2004 12:37 pm
Code: Select all
spamfilter {
regex "^porn! porno! http://.+\/sexo.exe";
target { private; };
action gline;
reason "TRJ/SOEX.A Trojan Detected, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SOEX.A";
ban-time 1d;
};
I got these spammers on my network, it's not really a harmfull bot, cause the .exe file mostly can't execute (bad programming)
Hope the regex is acceptable.
codemastr
Former UnrealIRCd head coder
Posts: 811 Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:
Post
by codemastr » Tue Mar 09, 2004 4:36 pm
Looks good except,
sexo.exe";
That should probably be sexo\.exe
Since . is a special character in a regex.
-- codemastr
Syzop
UnrealIRCd head coder
Posts: 2112 Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:
Post
by Syzop » Tue Mar 09, 2004 8:51 pm
Thanks, added in CVS :)
Code: Select all
spamfilter {
regex "^porn! porno! http://.+\/sexo\.exe";
target private;
action block;
reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};
(note that _ gets translated into a space, so I just use %5F for now, I'll see if I can make __ [double underscore] translate into _ :P)
APCyberax
Post
by APCyberax » Tue May 18, 2004 6:44 am
I've spotted the follow mask sould catch them all.
http://*.*.*.*:*/*.exe
how sure if this would catch to many things but it seems like a sound idea.
what you people think?
aquanight
Official supporter
Posts: 862 Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID
Post
by aquanight » Tue May 18, 2004 1:43 pm
Well that would certainly block sending any URL ending in .exe if not for the fact that that is not correct regex sytnax. It should be:
http://.+\..+\..+\..+:.+/.*\.exe