How to use YARA to filter SPAM in Windows
Getting started — yara 4.3.1 documentation
Download the latest release from Releases · VirusTotal/yara (github.com), yara-4.3.1-2141-win64.zip, unzip the archive, and put the yara64.exe and yarac64.exe binaries anywhere in your disk.
Create a sample rule to test it.
Set-Content -path .\my_first_rule -Value "rule dummy { condition: true }" -Encoding Ascii
.\yara my_first_rule my_first_rule
A sample rule to filter SPAM
rule spam_subject {
meta:
author = "Your Name"
description = "Identifies spam based on subject"
strings:
$spam_subject = "Free money" nocase
$spam_subject2 = "Viagra" nocase
$spam_subject3 = "Make money" nocase
$spam_subject4 = "Earn money" nocase
$spam_subject5 = "Get rich" nocase
condition:
any of them
}
rule spam_body {
meta:
author = "Your Name"
description = "Identifies spam based on content"
strings:
$spam_content = "Enlarge your" nocase
$spam_content2 = "Make money fast" nocase
$spam_content3 = "Buy now" nocase
$spam_content4 = "Limited time offer" nocase
$spam_content5 = "Free trial" nocase
condition:
any of them
}
rule spam_sender {
meta:
author = "Your Name"
description = "Identifies spam based on sender"
strings:
$spam_sender = "spammer@example.com" nocase
condition:
$spam_sender
}
rule spam_links {
strings:
$link1 = "http://spamlink.com"
$link2 = "https://spamlink.com"
condition:
any of ($link*) in ascii (body)
}
rule spam_attachments {
strings:
$attachment = "xxx.doc"
$attachment2 = "xxx.rar"
condition:
any of them
}
You may need to modify these rules or create new ones to fit your specific needs. It's also important to note that these rules alone will not be sufficient to catch all spam messages, as spammers constantly adapt their tactics and change their message content to avoid detection. Therefore, it's recommended to regularly update and refine your rules to keep up with new spam campaigns.
创建时间:4/27/2023 5:58:21 PM
修改时间:4/27/2023 6:43:16 PM