1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule sendsafe {
meta:
author = " J from THL <j@techhelplist.com>"
date = "2016/09"
reference = "http://pastebin.com/WPWWs406"
version = 2
maltype = "Spammer"
filetype = "memory"
strings:
$a = "Enterprise Mailing Service"
$b = "Blacklisted by rule: %s:%s"
$c = "/SuccessMails?CampaignNum=%ld"
$d = "/TimedOutMails?CampaignNum=%ld"
$e = "/InvalidMails?CampaignNum=%ld"
$f = "Failed to download maillist, retrying"
$g = "No maillist loaded"
$h = "Successfully sent using SMTP account %s (%d of %ld messages to %s)"
$i = "Successfully sent %d of %ld messages to %s"
$j = "Sending to %s in the same connection"
$k = "New connection required, will send to %s"
$l = "Mail transaction for %s is over."
$m = "Domain %s is bad (found in cache)"
$n = "Domain %s found in cache"
$o = "Domain %s isn't found in cache, resolving it"
$p = "All tries to resolve %s failed."
$q = "Failed to receive response for %s from DNS server"
$r = "Got DNS server response: domain %s is bad"
$s = "Got error %d in response for %s from DNS server"
$t = "MX's IP for domain %s found in cache:"
$u = "Timeout waiting for domain %s to be resolved"
$v = "No valid MXes for domain %s. Marking it as bad"
$w = "Resolving MX %s using existing connection to DNS server"
$x = "All tries to resolve MX for %s are failed"
$y = "Resolving MX %s using DNS server"
$z = "Failed to receive response for MX %s from DNS server"
condition:
13 of them
}