1# BOTNET-CLUSTER-PATTERNS.RC
2#
3#  Current patterns.
4#
5#  Updated and verified 7/12/2011
6#
7
8# Abused Botnet Spam Source IPs
9#
10# 9/09/2010:
11#  Hotmail is currently the source of an abnormal amount of *messy* botnet spam.
12#
13:0
14* -1^0
15*  H ??  2^0 (^|[^0-9a-z])(64\.4\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\
16                           65\.5[2-5]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?)([^0-9a-z]|$)
17{
18 SBLOG="C3T-${TESTNAME}/Botnet Stigmata (Header Contains Commonly Abused IP)"
19 INCLUDERC=${SBDIR}/functions/loglevel.rc
20
21 :0
22 * $ ${LOCALSCORE}^0
23 * 2^0
24 { LOCALSCORE=$= }
25}
26
27# Victim Address forged in From Header
28#
29# 9/13/2010:
30#  One botnet Pharma spammer in particular does this constantly.
31#
32:0
33* ? ${TEST} -f ${MYEMAIL}
34{
35 :0
36 * ! FROMEMAIL ?? ^noemail@example.com$
37 * ? ${GREP} -i -x "${FROMEMAIL}" ${MYEMAIL}
38 {
39  SBLOG="C3T-${TESTNAME}/Botnet Stigmata (From Spam Victim Address)"
40  INCLUDERC=${SBDIR}/functions/loglevel.rc
41
42  :0
43  * $ ${LOCALSCORE}^0
44  * 2^0
45  { LOCALSCORE=$= }
46 }
47}
48
49# Very short email with URI containing domain in abused TLD
50#
51# 9/13/2010:
52#  Lots of very short botnet spam emails with botnet-abused TLDs in them.
53#
54:0
55* ! B ??  ^.*$.*$.*$.*$.*$.*$
56* ! B ??  (^|[^0-9a-z])https?://([0-9a-z][-_0-9a-z]*(�|\.|[=%]2E))+(cx|in|info|ru)(.*$)*.*\
57           https?://([0-9a-z][-_0-9a-z]*(�|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?([^0-9a-z]|$)
58*   B ??  (^|[^0-9a-z])https?://([0-9a-z][-_0-9a-z]*(�|\.|[=%]2E))+(cx|in|info|ru)([^0-9a-z]|$)
59{
60 SBLOG="C3T-${TESTNAME}/Botnet Stigmata (Short email, URI domain in Abused TLD)"
61 INCLUDERC=${SBDIR}/functions/loglevel.rc
62
63 :0
64 * $ ${LOCALSCORE}^0
65 * 2^0
66 { LOCALSCORE=$= }
67}
68
69