Here are two links from antivirus vendors that describe the template the Storm botnet has been putting out. These should be very useful in crafting regexp to catch them all based on their body text.
<http://www.f-secure.com/weblog/#00001255> http://www.f-secure.com/weblog/#00001255 <http://www.symantec.com/enterprise/security_response/weblog/2007/08/new _storm_front_moving_in.html> http://www.symantec.com/enterprise/security_response/weblog/2007/08/new_ storm_front_moving_in.html Caveat: I've no idea how long this information will remain valid. Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Wednesday, August 22, 2007 8:54 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] New Spam > > Updated filter line to: > > (?i:(Click|login|link).{0,50} <http://((?:25> http://((?:25[0-5]|2[0-4][0-9]|[0 > 1]?[0-9][0-9]? > )\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) > > -----Original Message----- > From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED] On > Behalf Of David > Barker > Sent: Tuesday, August 21, 2007 10:14 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] New Spam > > Thanks :) Much appreciated. > > -----Original Message----- > From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED] On Behalf Of > SJ.Stanaitis > Sent: Tuesday, August 21, 2007 9:57 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] New Spam > > Just something I've been meaning to say for a bit. > > Declude RULES. > > Thanks David! > --SJ > > -----Original Message----- > From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED] On > Behalf Of David > Barker > Sent: Tuesday, August 21, 2007 9:39 AM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] New Spam > > Filter Line: > > BODY 10 PCRE (?i:(Click|login|link).{0,50} > <http://((?:25> http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0- > 5]|2[0-4][0-9] > |[01]?[0-9][0-9]?)) > > Example Below: > ------------------------------------------------------------ > Welcome Member, > > Thank You for Joining Poker World. > > Membership Number: 3398118525 > Temp Login ID: user3668 > Your Password ID: di150 > > Please keep your account secure by logging in and changing > your login info. > > Use this link to change your Login info: <http://85.113.198.210/> http://85.113.198.210/ > > Thank You, > Welcome Department > Poker World > ------------------------------------------------------------ > > David Barker > VP Operations | Declude > Your Email Security is our business > O: 978.499.2933 x7007 > F: 978.988.1311 > E: [EMAIL PROTECTED] > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at <http://www.mail-archive.com> http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at <http://www.mail-archive.com> http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at <http://www.mail-archive.com> http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at <http://www.mail-archive.com> http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
