Browse Source

Import into repo

Brielle Bruns 11 months ago
commit
576a9fd9a8
7 changed files with 184 additions and 0 deletions
  1. 41
    0
      10_whitelist.cf
  2. 56
    0
      20_known_abusers.cf
  3. 1
    0
      25_spam_from.cf
  4. 17
    0
      30_virus.cf
  5. 32
    0
      40_spam_patterns.cf
  6. 0
    0
      README
  7. 37
    0
      build.sh

+ 41
- 0
10_whitelist.cf View File

@@ -0,0 +1,41 @@
1
+# Whitelist rules
2
+
3
+# SOSDG/AHBL rules
4
+whitelist_from_rcvd *@ahbl.org		sosdg.org
5
+whitelist_from_rcvd *@sosdg.org		sosdg.org
6
+whitelist_from_rcvd *@2mbit.com		sosdg.org
7
+whitelist_from_rcvd *@lists.sosdg.org	sosdg.org
8
+
9
+# Mailing Lists
10
+whitelist_from_rcvd *@freelists.org	iquest.net
11
+whitelist_from_rcvd *@spam-l.com	mfn.org
12
+whitelist_from_rcvd *@spam-l.com	spam-l.com
13
+whitelist_from_rcvd *@spam-l.com	gas-net.org
14
+whitelist_from_rcvd *@nanog.org		nanog.org
15
+whitelist_from_rcvd *@merit.edu		nanog.org
16
+whitelist_from_rcvd *@spammers.dontlike.us	domainmail.org
17
+
18
+# SOSDG/AHBL friends and whitehat providers
19
+whitelist_from_rcvd *@wiztech.biz	sosdg.org
20
+whitelist_from_rcvd *@lists.wiztech.biz	sosdg.org
21
+
22
+#DomainTools
23
+whitelist_from_rcvd *@domaintools.com nameintel.com
24
+
25
+#Bethesda emails from amazonses
26
+whitelist_from_rcvd *@bethesda.net amazonses.com
27
+
28
+#Hubspot
29
+whitelist_from_rcvd *@*.hubspot.com hubspot.com
30
+whitelist_from_rcvd *@*.hubspot.com hubspotemail.net
31
+
32
+#Known good ecommerce sites and associated companies
33
+whitelist_from_rcvd *@obtainsurplus.com obtainium.biz
34
+whitelist_from_rcvd *@obtainium.biz obtainium.biz
35
+whitelist_from_rcvd *@reuseum.com obtainium.biz
36
+whitelist_from_rcvd *@reuseum.org obtainium.biz
37
+whitelist_from_rcvd *@reuseum.com reuseum.com
38
+whitelist_from_rcvd *@reuseum.org reuseum.com
39
+whitelist_from_rcvd *@bigcommerce.com bigcommerce.com
40
+whitelist_from_rcvd *@salesandorders.com outlook.com
41
+whitelist_from_rcvd *@sixbitsoftware.com emailsrvr.com

+ 56
- 0
20_known_abusers.cf View File

@@ -0,0 +1,56 @@
1
+# Known Richard Scoville, Mike McAllister mail froms used to harass people
2
+blacklist_from therealkmanhere@gmail.com
3
+blacklist_from canadiantaxman.ca@gmail.com
4
+blacklist_from DarrellLarose.ca@gmail.com
5
+blacklist_from canadiantaxman.ca@gmail.com
6
+blacklist_from dioguardi.taxlaw@gmail.com
7
+blacklist_from CanadianISPExec@gmail.com
8
+blacklist_from keithcp1@gmail.com
9
+blacklist_from peter.m.taticek@gmail.com
10
+blacklist_from susanwigle@gmail.com
11
+blacklist_from thefreespeechstore@gmail.com
12
+blacklist_from canadianisp.ca@gmail.com
13
+blacklist_from *@freespeechstore.com
14
+blacklist_from *@thefreespeechstore.com
15
+blacklist_from brian.brielle.bruns@gmail.com
16
+blacklist_from stay.clear.ntuit@gmail.com
17
+blacklist_from justcanadian242@googlemail.com
18
+blacklist_from ceo.freespeechstore@gmail.com
19
+blacklist_from davidnbrown80.mesa@gmail.com
20
+
21
+
22
+# Known addresses of Jamie Baillie mail froms used to harass and mailbomb providers
23
+blacklist_from theusenet@yahoo.ca
24
+blacklist_from *@darkshado.ca
25
+blacklist_from nanaestalkers@yahoo.ca
26
+
27
+# Andrew Stephens many sock puppets (See NANAE flood)
28
+blacklist_from wiomoudr@anonymbox.com
29
+blacklist_from johnwilliams7896897@gmail.com
30
+blacklist_from timrobbins1957@gmail.com
31
+blacklist_from canspamrules@gmail.com
32
+blacklist_from suebarrymorestrikesagain@gmail.com
33
+blacklist_from stephensboy@gmail.com
34
+blacklist_from edataking@gmail.com 
35
+blacklist_from verumtruth@gmail.com
36
+
37
+
38
+# Known spammed tinyurl.com links that abuse@ has not acted on
39
+uri			SOSDG_SPAMMED_TINYURL1	/tinyurl.com\/(free-speech-store|bruns-kirch-ahbl-abuse|Ottawa-Three-Plus-Some)/i
40
+describe	SOSDG_SPAMMED_TINYURL1	"Scoville/McAllister spammed tinyurl.com link"
41
+score		SOSDG_SPAMMED_TINYURL1		2.0
42
+
43
+# Known spammed alturl.com links that abuse@ has not acted on
44
+uri			SOSDG_SPAMMED_ALTURL1	/alturl.com\/zm639/i
45
+describe	SOSDG_SPAMMED_ALTURL1	"Scoville/McAllister spammed alturl.com link"
46
+score		SOSDG_SPAMMED_ALTURL1	2.0
47
+
48
+# Known spammed Google Groups posting hashes from Scoville/McAllister
49
+uri			SOSDG_SPAMMED_GOOGLEGRPS1	/groups.google.com\/.*\/(f3accf97cdf69d0d|229fb46bf323d091|f3accf97cdf69d0d)/i
50
+describe	SOSDG_SPAMMED_GOOGLEGRPS1	"Scoville/McAllister spammed Google Groups articles"
51
+score		SOSDG_SPAMMED_GOOGLEGRPS1	2.0
52
+
53
+# Richard Scoville's Pay-Per-Libel website, used in spam runs
54
+uri			SOSDG_SPAMMED_SCOVILLE1	/(freespeechstore.com|thefreespeechstore.com)/i
55
+describe	SOSDG_SPAMMED_SCOVILLE1	"Richard Scoville's FreeSpeechStore website spammed"
56
+score		SOSDG_SPAMMED_SCOVILLE1	2.0

+ 1
- 0
25_spam_from.cf View File

@@ -0,0 +1 @@
1
+blacklist_from robsavage19@hotmail.com

+ 17
- 0
30_virus.cf View File

@@ -0,0 +1,17 @@
1
+# Subject: Your wife photos attached
2
+header		SOSDG_VIRUS_WIFE1	Subject =~ /your (wife|wifes|wife's) (photo|photos) attached/i
3
+describe	SOSDG_VIRUS_WIFE1	Subject is common virus/trojan sign
4
+score		SOSDG_VIRUS_WIFE1	3.0
5
+
6
+body		__LOCKY_TEST1		/I am sending copies of the documents as attachments/i
7
+body		__LOCKY_TEST2		/Thank you very much for your reply/i
8
+body		__LOCKY_TEST3		/I have attached the financial report you requested./i
9
+body		__LOCKY_TEST4		/I am sending you the invoice you requested/i
10
+body		__LOCKY_TEST5		/Attached please find the documents you requested/i
11
+body		__LOCKY_TEST6		/wrong data file you received from me/i
12
+body		__LOCKY_TEST7		/attached is concerned with the company database/i
13
+
14
+mimeheader	__ZIP_ATTACHED		Content-Type =~ /zip/i
15
+meta		SOSDG_LOCKY_RANSOMWARE1	(( __LOCKY_TEST1 + __LOCKY_TEST2 + __LOCKY_TEST3 + __LOCKY_TEST4 + __LOCKY_TEST5 + __LOCKY_TEST6 + __LOCKY_TEST7 + __ZIP_ATTACHED ) > 1)
16
+score		SOSDG_LOCKY_RANSOMWARE1	4.0
17
+describe	SOSDG_LOCKY_RANSOMWARE1	Common patterns for Locky ransomware

+ 32
- 0
40_spam_patterns.cf View File

@@ -0,0 +1,32 @@
1
+# Spam Patterns
2
+
3
+#body	 __VERT_SPAM_PILL1	/_{1,3}(v|c|l)_{0,3}/i
4
+#body	 __VERT_SPAM_PILL2	/_{1,3}(i|e)_{0,3}/i
5
+#body	 __VERT_SPAM_PILL3	/_{1,3}(a|v)_{0,3}/i
6
+#body	 __VERT_SPAM_PILL4	/_{1,3}(g|l|i)_{0,3}/i
7
+#body	 __VERT_SPAM_PILL5	/_{1,3}(r|i|t)_{0,3}/i
8
+#body	 __VERT_SPAM_PILL6	/_{1,3}(a|s|r)_{0,3}/i
9
+#meta		SOSDG_VERT_PILL_SPAM_PATTERN	((__VERT_SPAM_PILL1 + __VERT_SPAM_PILL2 + __VERT_SPAM_PILL3 + __VERT_SPAM_PILL4 + __VERT_SPAM_PILL5 + __VERT_SPAM_PILL6) > 4)
10
+#describe	SOSDG_VERT_PILL_SPAM_PATTERN	Pill spam with vertical text
11
+#score		SOSDG_VERT_PILL_SPAM_PATTERN	3.0
12
+
13
+
14
+body		SOSDG_WE_ARE_NOT_SPAM1	/ We are not spammer./
15
+describe	SOSDG_WE_ARE_NOT_SPAM1	'We are not spam' match
16
+score		SOSDG_WE_ARE_NOT_SPAM1	3.0
17
+
18
+body		SOSDG_BRING_EMAIL1	/We can bring you more business and find new clients by our email services/
19
+describe	SOSDG_BRING_EMAIL1	Bring business by email match
20
+score		SOSDG_BRING_EMAIL1	2.0
21
+
22
+body		SOSDG_PAYPAL_SCAM1	/We emailed you a little while ago to ask for your help resolving/
23
+describe	SOSDG_PAYPAL_SCAM1	Paypal scam match
24
+score		SOSDG_PAYPAL_SCAM1	4.0
25
+
26
+body		SOSDG_KNOWN_SPAMPHONE1	/877-228-1545/
27
+describe	SOSDG_KNOWN_SPAMPHONE1	Known spam phone number - 877-228-1545
28
+score		SOSDG_KNOWN_SPAMPHONE1	4.0
29
+
30
+body		SOSDG_PAYPAL_SCAM1	/Its important your happy and not bothered/
31
+describe	SOSDG_PAYPAL_SCAM1	Spam wording match
32
+score		SOSDG_PAYPAL_SCAM1	4.0

+ 0
- 0
README View File


+ 37
- 0
build.sh View File

@@ -0,0 +1,37 @@
1
+#!/bin/bash
2
+VERSION=34
3
+TAR=`which tar`
4
+MYSQL=`which mysql`
5
+EPOCH=`date +%s`
6
+TARBALL="${VERSION}.tar.gz"
7
+SHA1SUM=`which sha1sum`
8
+DNSUSER="brielle"
9
+DNSDOMAIN="*.3.sa.sosdg.org"
10
+DNSDB="ns1-powerdns"
11
+DNSTABLE="records"
12
+
13
+${TAR} zvcf ../../${TARBALL} --exclude-vcs --exclude='*.sh' * ;\
14
+${SHA1SUM} ../../${TARBALL} > ../../${TARBALL}.sha1
15
+
16
+#echo -n "Mysql password: "
17
+#stty -echo
18
+#read password
19
+#stty echo
20
+
21
+#DNSSOA=`echo "SELECT content FROM ${DNSTABLE} WHERE domain_id='4'
22
+#		AND name='sosdg.org' AND type='SOA'" |\
23
+#		${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}`
24
+
25
+#DNSSOA2=( ${DNSSOA// / } )
26
+#NEW_SOA="${DNSSOA2[1]} ${DNSSOA2[2]} $((${DNSSOA2[3]}+1)) ${DNSSOA2[4]} ${DNSSOA2[5]} ${DNSSOA2[6]} ${DNSSOA2[7]}"
27
+
28
+
29
+#echo "UPDATE ${DNSTABLE} SET content='${VERSION}', change_date='${EPOCH}'
30
+#		WHERE name='${DNSDOMAIN}' AND type='TXT'" |\
31
+#		${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}
32
+#
33
+#echo "UPDATE ${DNSTABLE} SET content='${NEW_SOA}', change_date='${EPOCH}'
34
+#		WHERE domain_id='4' AND name='sosdg.org' AND type='SOA'" |\
35
+#		${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}
36
+
37
+#unset password

Loading…
Cancel
Save