Browse Source

Import into repo

master
Brielle Bruns 2 years ago
commit
576a9fd9a8
7 changed files with 184 additions and 0 deletions
  1. +41
    -0
      10_whitelist.cf
  2. +56
    -0
      20_known_abusers.cf
  3. +1
    -0
      25_spam_from.cf
  4. +17
    -0
      30_virus.cf
  5. +32
    -0
      40_spam_patterns.cf
  6. +0
    -0
      README
  7. +37
    -0
      build.sh

+ 41
- 0
10_whitelist.cf View File

@@ -0,0 +1,41 @@
# Whitelist rules

# SOSDG/AHBL rules
whitelist_from_rcvd *@ahbl.org sosdg.org
whitelist_from_rcvd *@sosdg.org sosdg.org
whitelist_from_rcvd *@2mbit.com sosdg.org
whitelist_from_rcvd *@lists.sosdg.org sosdg.org

# Mailing Lists
whitelist_from_rcvd *@freelists.org iquest.net
whitelist_from_rcvd *@spam-l.com mfn.org
whitelist_from_rcvd *@spam-l.com spam-l.com
whitelist_from_rcvd *@spam-l.com gas-net.org
whitelist_from_rcvd *@nanog.org nanog.org
whitelist_from_rcvd *@merit.edu nanog.org
whitelist_from_rcvd *@spammers.dontlike.us domainmail.org

# SOSDG/AHBL friends and whitehat providers
whitelist_from_rcvd *@wiztech.biz sosdg.org
whitelist_from_rcvd *@lists.wiztech.biz sosdg.org

#DomainTools
whitelist_from_rcvd *@domaintools.com nameintel.com

#Bethesda emails from amazonses
whitelist_from_rcvd *@bethesda.net amazonses.com

#Hubspot
whitelist_from_rcvd *@*.hubspot.com hubspot.com
whitelist_from_rcvd *@*.hubspot.com hubspotemail.net

#Known good ecommerce sites and associated companies
whitelist_from_rcvd *@obtainsurplus.com obtainium.biz
whitelist_from_rcvd *@obtainium.biz obtainium.biz
whitelist_from_rcvd *@reuseum.com obtainium.biz
whitelist_from_rcvd *@reuseum.org obtainium.biz
whitelist_from_rcvd *@reuseum.com reuseum.com
whitelist_from_rcvd *@reuseum.org reuseum.com
whitelist_from_rcvd *@bigcommerce.com bigcommerce.com
whitelist_from_rcvd *@salesandorders.com outlook.com
whitelist_from_rcvd *@sixbitsoftware.com emailsrvr.com

+ 56
- 0
20_known_abusers.cf View File

@@ -0,0 +1,56 @@
# Known Richard Scoville, Mike McAllister mail froms used to harass people
blacklist_from therealkmanhere@gmail.com
blacklist_from canadiantaxman.ca@gmail.com
blacklist_from DarrellLarose.ca@gmail.com
blacklist_from canadiantaxman.ca@gmail.com
blacklist_from dioguardi.taxlaw@gmail.com
blacklist_from CanadianISPExec@gmail.com
blacklist_from keithcp1@gmail.com
blacklist_from peter.m.taticek@gmail.com
blacklist_from susanwigle@gmail.com
blacklist_from thefreespeechstore@gmail.com
blacklist_from canadianisp.ca@gmail.com
blacklist_from *@freespeechstore.com
blacklist_from *@thefreespeechstore.com
blacklist_from brian.brielle.bruns@gmail.com
blacklist_from stay.clear.ntuit@gmail.com
blacklist_from justcanadian242@googlemail.com
blacklist_from ceo.freespeechstore@gmail.com
blacklist_from davidnbrown80.mesa@gmail.com


# Known addresses of Jamie Baillie mail froms used to harass and mailbomb providers
blacklist_from theusenet@yahoo.ca
blacklist_from *@darkshado.ca
blacklist_from nanaestalkers@yahoo.ca

# Andrew Stephens many sock puppets (See NANAE flood)
blacklist_from wiomoudr@anonymbox.com
blacklist_from johnwilliams7896897@gmail.com
blacklist_from timrobbins1957@gmail.com
blacklist_from canspamrules@gmail.com
blacklist_from suebarrymorestrikesagain@gmail.com
blacklist_from stephensboy@gmail.com
blacklist_from edataking@gmail.com
blacklist_from verumtruth@gmail.com


# Known spammed tinyurl.com links that abuse@ has not acted on
uri SOSDG_SPAMMED_TINYURL1 /tinyurl.com\/(free-speech-store|bruns-kirch-ahbl-abuse|Ottawa-Three-Plus-Some)/i
describe SOSDG_SPAMMED_TINYURL1 "Scoville/McAllister spammed tinyurl.com link"
score SOSDG_SPAMMED_TINYURL1 2.0

# Known spammed alturl.com links that abuse@ has not acted on
uri SOSDG_SPAMMED_ALTURL1 /alturl.com\/zm639/i
describe SOSDG_SPAMMED_ALTURL1 "Scoville/McAllister spammed alturl.com link"
score SOSDG_SPAMMED_ALTURL1 2.0

# Known spammed Google Groups posting hashes from Scoville/McAllister
uri SOSDG_SPAMMED_GOOGLEGRPS1 /groups.google.com\/.*\/(f3accf97cdf69d0d|229fb46bf323d091|f3accf97cdf69d0d)/i
describe SOSDG_SPAMMED_GOOGLEGRPS1 "Scoville/McAllister spammed Google Groups articles"
score SOSDG_SPAMMED_GOOGLEGRPS1 2.0

# Richard Scoville's Pay-Per-Libel website, used in spam runs
uri SOSDG_SPAMMED_SCOVILLE1 /(freespeechstore.com|thefreespeechstore.com)/i
describe SOSDG_SPAMMED_SCOVILLE1 "Richard Scoville's FreeSpeechStore website spammed"
score SOSDG_SPAMMED_SCOVILLE1 2.0

+ 1
- 0
25_spam_from.cf View File

@@ -0,0 +1 @@
blacklist_from robsavage19@hotmail.com

+ 17
- 0
30_virus.cf View File

@@ -0,0 +1,17 @@
# Subject: Your wife photos attached
header SOSDG_VIRUS_WIFE1 Subject =~ /your (wife|wifes|wife's) (photo|photos) attached/i
describe SOSDG_VIRUS_WIFE1 Subject is common virus/trojan sign
score SOSDG_VIRUS_WIFE1 3.0

body __LOCKY_TEST1 /I am sending copies of the documents as attachments/i
body __LOCKY_TEST2 /Thank you very much for your reply/i
body __LOCKY_TEST3 /I have attached the financial report you requested./i
body __LOCKY_TEST4 /I am sending you the invoice you requested/i
body __LOCKY_TEST5 /Attached please find the documents you requested/i
body __LOCKY_TEST6 /wrong data file you received from me/i
body __LOCKY_TEST7 /attached is concerned with the company database/i

mimeheader __ZIP_ATTACHED Content-Type =~ /zip/i
meta SOSDG_LOCKY_RANSOMWARE1 (( __LOCKY_TEST1 + __LOCKY_TEST2 + __LOCKY_TEST3 + __LOCKY_TEST4 + __LOCKY_TEST5 + __LOCKY_TEST6 + __LOCKY_TEST7 + __ZIP_ATTACHED ) > 1)
score SOSDG_LOCKY_RANSOMWARE1 4.0
describe SOSDG_LOCKY_RANSOMWARE1 Common patterns for Locky ransomware

+ 32
- 0
40_spam_patterns.cf View File

@@ -0,0 +1,32 @@
# Spam Patterns

#body __VERT_SPAM_PILL1 /_{1,3}(v|c|l)_{0,3}/i
#body __VERT_SPAM_PILL2 /_{1,3}(i|e)_{0,3}/i
#body __VERT_SPAM_PILL3 /_{1,3}(a|v)_{0,3}/i
#body __VERT_SPAM_PILL4 /_{1,3}(g|l|i)_{0,3}/i
#body __VERT_SPAM_PILL5 /_{1,3}(r|i|t)_{0,3}/i
#body __VERT_SPAM_PILL6 /_{1,3}(a|s|r)_{0,3}/i
#meta SOSDG_VERT_PILL_SPAM_PATTERN ((__VERT_SPAM_PILL1 + __VERT_SPAM_PILL2 + __VERT_SPAM_PILL3 + __VERT_SPAM_PILL4 + __VERT_SPAM_PILL5 + __VERT_SPAM_PILL6) > 4)
#describe SOSDG_VERT_PILL_SPAM_PATTERN Pill spam with vertical text
#score SOSDG_VERT_PILL_SPAM_PATTERN 3.0


body SOSDG_WE_ARE_NOT_SPAM1 / We are not spammer./
describe SOSDG_WE_ARE_NOT_SPAM1 'We are not spam' match
score SOSDG_WE_ARE_NOT_SPAM1 3.0

body SOSDG_BRING_EMAIL1 /We can bring you more business and find new clients by our email services/
describe SOSDG_BRING_EMAIL1 Bring business by email match
score SOSDG_BRING_EMAIL1 2.0

body SOSDG_PAYPAL_SCAM1 /We emailed you a little while ago to ask for your help resolving/
describe SOSDG_PAYPAL_SCAM1 Paypal scam match
score SOSDG_PAYPAL_SCAM1 4.0

body SOSDG_KNOWN_SPAMPHONE1 /877-228-1545/
describe SOSDG_KNOWN_SPAMPHONE1 Known spam phone number - 877-228-1545
score SOSDG_KNOWN_SPAMPHONE1 4.0

body SOSDG_PAYPAL_SCAM1 /Its important your happy and not bothered/
describe SOSDG_PAYPAL_SCAM1 Spam wording match
score SOSDG_PAYPAL_SCAM1 4.0

+ 0
- 0
README View File


+ 37
- 0
build.sh View File

@@ -0,0 +1,37 @@
#!/bin/bash
VERSION=34
TAR=`which tar`
MYSQL=`which mysql`
EPOCH=`date +%s`
TARBALL="${VERSION}.tar.gz"
SHA1SUM=`which sha1sum`
DNSUSER="brielle"
DNSDOMAIN="*.3.sa.sosdg.org"
DNSDB="ns1-powerdns"
DNSTABLE="records"

${TAR} zvcf ../../${TARBALL} --exclude-vcs --exclude='*.sh' * ;\
${SHA1SUM} ../../${TARBALL} > ../../${TARBALL}.sha1

#echo -n "Mysql password: "
#stty -echo
#read password
#stty echo

#DNSSOA=`echo "SELECT content FROM ${DNSTABLE} WHERE domain_id='4'
# AND name='sosdg.org' AND type='SOA'" |\
# ${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}`

#DNSSOA2=( ${DNSSOA// / } )
#NEW_SOA="${DNSSOA2[1]} ${DNSSOA2[2]} $((${DNSSOA2[3]}+1)) ${DNSSOA2[4]} ${DNSSOA2[5]} ${DNSSOA2[6]} ${DNSSOA2[7]}"


#echo "UPDATE ${DNSTABLE} SET content='${VERSION}', change_date='${EPOCH}'
# WHERE name='${DNSDOMAIN}' AND type='TXT'" |\
# ${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}
#
#echo "UPDATE ${DNSTABLE} SET content='${NEW_SOA}', change_date='${EPOCH}'
# WHERE domain_id='4' AND name='sosdg.org' AND type='SOA'" |\
# ${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}

#unset password

Loading…
Cancel
Save