commit 576a9fd9a834cf16d2babd51ac90b3f3763450b1 Author: Brielle Date: Tue Feb 27 13:40:29 2018 -0700 Import into repo diff --git a/10_whitelist.cf b/10_whitelist.cf new file mode 100644 index 0000000..aa33070 --- /dev/null +++ b/10_whitelist.cf @@ -0,0 +1,41 @@ +# Whitelist rules + +# SOSDG/AHBL rules +whitelist_from_rcvd *@ahbl.org sosdg.org +whitelist_from_rcvd *@sosdg.org sosdg.org +whitelist_from_rcvd *@2mbit.com sosdg.org +whitelist_from_rcvd *@lists.sosdg.org sosdg.org + +# Mailing Lists +whitelist_from_rcvd *@freelists.org iquest.net +whitelist_from_rcvd *@spam-l.com mfn.org +whitelist_from_rcvd *@spam-l.com spam-l.com +whitelist_from_rcvd *@spam-l.com gas-net.org +whitelist_from_rcvd *@nanog.org nanog.org +whitelist_from_rcvd *@merit.edu nanog.org +whitelist_from_rcvd *@spammers.dontlike.us domainmail.org + +# SOSDG/AHBL friends and whitehat providers +whitelist_from_rcvd *@wiztech.biz sosdg.org +whitelist_from_rcvd *@lists.wiztech.biz sosdg.org + +#DomainTools +whitelist_from_rcvd *@domaintools.com nameintel.com + +#Bethesda emails from amazonses +whitelist_from_rcvd *@bethesda.net amazonses.com + +#Hubspot +whitelist_from_rcvd *@*.hubspot.com hubspot.com +whitelist_from_rcvd *@*.hubspot.com hubspotemail.net + +#Known good ecommerce sites and associated companies +whitelist_from_rcvd *@obtainsurplus.com obtainium.biz +whitelist_from_rcvd *@obtainium.biz obtainium.biz +whitelist_from_rcvd *@reuseum.com obtainium.biz +whitelist_from_rcvd *@reuseum.org obtainium.biz +whitelist_from_rcvd *@reuseum.com reuseum.com +whitelist_from_rcvd *@reuseum.org reuseum.com +whitelist_from_rcvd *@bigcommerce.com bigcommerce.com +whitelist_from_rcvd *@salesandorders.com outlook.com +whitelist_from_rcvd *@sixbitsoftware.com emailsrvr.com diff --git a/20_known_abusers.cf b/20_known_abusers.cf new file mode 100644 index 0000000..c4eef81 --- /dev/null +++ b/20_known_abusers.cf @@ -0,0 +1,56 @@ +# Known Richard Scoville, Mike McAllister mail froms used to harass people +blacklist_from therealkmanhere@gmail.com +blacklist_from canadiantaxman.ca@gmail.com +blacklist_from DarrellLarose.ca@gmail.com +blacklist_from canadiantaxman.ca@gmail.com +blacklist_from dioguardi.taxlaw@gmail.com +blacklist_from CanadianISPExec@gmail.com +blacklist_from keithcp1@gmail.com +blacklist_from peter.m.taticek@gmail.com +blacklist_from susanwigle@gmail.com +blacklist_from thefreespeechstore@gmail.com +blacklist_from canadianisp.ca@gmail.com +blacklist_from *@freespeechstore.com +blacklist_from *@thefreespeechstore.com +blacklist_from brian.brielle.bruns@gmail.com +blacklist_from stay.clear.ntuit@gmail.com +blacklist_from justcanadian242@googlemail.com +blacklist_from ceo.freespeechstore@gmail.com +blacklist_from davidnbrown80.mesa@gmail.com + + +# Known addresses of Jamie Baillie mail froms used to harass and mailbomb providers +blacklist_from theusenet@yahoo.ca +blacklist_from *@darkshado.ca +blacklist_from nanaestalkers@yahoo.ca + +# Andrew Stephens many sock puppets (See NANAE flood) +blacklist_from wiomoudr@anonymbox.com +blacklist_from johnwilliams7896897@gmail.com +blacklist_from timrobbins1957@gmail.com +blacklist_from canspamrules@gmail.com +blacklist_from suebarrymorestrikesagain@gmail.com +blacklist_from stephensboy@gmail.com +blacklist_from edataking@gmail.com +blacklist_from verumtruth@gmail.com + + +# Known spammed tinyurl.com links that abuse@ has not acted on +uri SOSDG_SPAMMED_TINYURL1 /tinyurl.com\/(free-speech-store|bruns-kirch-ahbl-abuse|Ottawa-Three-Plus-Some)/i +describe SOSDG_SPAMMED_TINYURL1 "Scoville/McAllister spammed tinyurl.com link" +score SOSDG_SPAMMED_TINYURL1 2.0 + +# Known spammed alturl.com links that abuse@ has not acted on +uri SOSDG_SPAMMED_ALTURL1 /alturl.com\/zm639/i +describe SOSDG_SPAMMED_ALTURL1 "Scoville/McAllister spammed alturl.com link" +score SOSDG_SPAMMED_ALTURL1 2.0 + +# Known spammed Google Groups posting hashes from Scoville/McAllister +uri SOSDG_SPAMMED_GOOGLEGRPS1 /groups.google.com\/.*\/(f3accf97cdf69d0d|229fb46bf323d091|f3accf97cdf69d0d)/i +describe SOSDG_SPAMMED_GOOGLEGRPS1 "Scoville/McAllister spammed Google Groups articles" +score SOSDG_SPAMMED_GOOGLEGRPS1 2.0 + +# Richard Scoville's Pay-Per-Libel website, used in spam runs +uri SOSDG_SPAMMED_SCOVILLE1 /(freespeechstore.com|thefreespeechstore.com)/i +describe SOSDG_SPAMMED_SCOVILLE1 "Richard Scoville's FreeSpeechStore website spammed" +score SOSDG_SPAMMED_SCOVILLE1 2.0 diff --git a/25_spam_from.cf b/25_spam_from.cf new file mode 100644 index 0000000..fed0876 --- /dev/null +++ b/25_spam_from.cf @@ -0,0 +1 @@ +blacklist_from robsavage19@hotmail.com diff --git a/30_virus.cf b/30_virus.cf new file mode 100644 index 0000000..8631e7c --- /dev/null +++ b/30_virus.cf @@ -0,0 +1,17 @@ +# Subject: Your wife photos attached +header SOSDG_VIRUS_WIFE1 Subject =~ /your (wife|wifes|wife's) (photo|photos) attached/i +describe SOSDG_VIRUS_WIFE1 Subject is common virus/trojan sign +score SOSDG_VIRUS_WIFE1 3.0 + +body __LOCKY_TEST1 /I am sending copies of the documents as attachments/i +body __LOCKY_TEST2 /Thank you very much for your reply/i +body __LOCKY_TEST3 /I have attached the financial report you requested./i +body __LOCKY_TEST4 /I am sending you the invoice you requested/i +body __LOCKY_TEST5 /Attached please find the documents you requested/i +body __LOCKY_TEST6 /wrong data file you received from me/i +body __LOCKY_TEST7 /attached is concerned with the company database/i + +mimeheader __ZIP_ATTACHED Content-Type =~ /zip/i +meta SOSDG_LOCKY_RANSOMWARE1 (( __LOCKY_TEST1 + __LOCKY_TEST2 + __LOCKY_TEST3 + __LOCKY_TEST4 + __LOCKY_TEST5 + __LOCKY_TEST6 + __LOCKY_TEST7 + __ZIP_ATTACHED ) > 1) +score SOSDG_LOCKY_RANSOMWARE1 4.0 +describe SOSDG_LOCKY_RANSOMWARE1 Common patterns for Locky ransomware diff --git a/40_spam_patterns.cf b/40_spam_patterns.cf new file mode 100644 index 0000000..188d01b --- /dev/null +++ b/40_spam_patterns.cf @@ -0,0 +1,32 @@ +# Spam Patterns + +#body __VERT_SPAM_PILL1 /_{1,3}(v|c|l)_{0,3}/i +#body __VERT_SPAM_PILL2 /_{1,3}(i|e)_{0,3}/i +#body __VERT_SPAM_PILL3 /_{1,3}(a|v)_{0,3}/i +#body __VERT_SPAM_PILL4 /_{1,3}(g|l|i)_{0,3}/i +#body __VERT_SPAM_PILL5 /_{1,3}(r|i|t)_{0,3}/i +#body __VERT_SPAM_PILL6 /_{1,3}(a|s|r)_{0,3}/i +#meta SOSDG_VERT_PILL_SPAM_PATTERN ((__VERT_SPAM_PILL1 + __VERT_SPAM_PILL2 + __VERT_SPAM_PILL3 + __VERT_SPAM_PILL4 + __VERT_SPAM_PILL5 + __VERT_SPAM_PILL6) > 4) +#describe SOSDG_VERT_PILL_SPAM_PATTERN Pill spam with vertical text +#score SOSDG_VERT_PILL_SPAM_PATTERN 3.0 + + +body SOSDG_WE_ARE_NOT_SPAM1 / We are not spammer./ +describe SOSDG_WE_ARE_NOT_SPAM1 'We are not spam' match +score SOSDG_WE_ARE_NOT_SPAM1 3.0 + +body SOSDG_BRING_EMAIL1 /We can bring you more business and find new clients by our email services/ +describe SOSDG_BRING_EMAIL1 Bring business by email match +score SOSDG_BRING_EMAIL1 2.0 + +body SOSDG_PAYPAL_SCAM1 /We emailed you a little while ago to ask for your help resolving/ +describe SOSDG_PAYPAL_SCAM1 Paypal scam match +score SOSDG_PAYPAL_SCAM1 4.0 + +body SOSDG_KNOWN_SPAMPHONE1 /877-228-1545/ +describe SOSDG_KNOWN_SPAMPHONE1 Known spam phone number - 877-228-1545 +score SOSDG_KNOWN_SPAMPHONE1 4.0 + +body SOSDG_PAYPAL_SCAM1 /Its important your happy and not bothered/ +describe SOSDG_PAYPAL_SCAM1 Spam wording match +score SOSDG_PAYPAL_SCAM1 4.0 diff --git a/README b/README new file mode 100644 index 0000000..e69de29 diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..d706c92 --- /dev/null +++ b/build.sh @@ -0,0 +1,37 @@ +#!/bin/bash +VERSION=34 +TAR=`which tar` +MYSQL=`which mysql` +EPOCH=`date +%s` +TARBALL="${VERSION}.tar.gz" +SHA1SUM=`which sha1sum` +DNSUSER="brielle" +DNSDOMAIN="*.3.sa.sosdg.org" +DNSDB="ns1-powerdns" +DNSTABLE="records" + +${TAR} zvcf ../../${TARBALL} --exclude-vcs --exclude='*.sh' * ;\ +${SHA1SUM} ../../${TARBALL} > ../../${TARBALL}.sha1 + +#echo -n "Mysql password: " +#stty -echo +#read password +#stty echo + +#DNSSOA=`echo "SELECT content FROM ${DNSTABLE} WHERE domain_id='4' +# AND name='sosdg.org' AND type='SOA'" |\ +# ${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}` + +#DNSSOA2=( ${DNSSOA// / } ) +#NEW_SOA="${DNSSOA2[1]} ${DNSSOA2[2]} $((${DNSSOA2[3]}+1)) ${DNSSOA2[4]} ${DNSSOA2[5]} ${DNSSOA2[6]} ${DNSSOA2[7]}" + + +#echo "UPDATE ${DNSTABLE} SET content='${VERSION}', change_date='${EPOCH}' +# WHERE name='${DNSDOMAIN}' AND type='TXT'" |\ +# ${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB} +# +#echo "UPDATE ${DNSTABLE} SET content='${NEW_SOA}', change_date='${EPOCH}' +# WHERE domain_id='4' AND name='sosdg.org' AND type='SOA'" |\ +# ${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB} + +#unset password