This info popped up on the emerging-Threats list. I have watched our
mail servers and have confirmed that it works.
The problem is that my attempts to create Spamassin rules for it never
fire off. Can I get some tutelage from the list on creating rules for
these unique conditions:
Message IDs randomized, but always the same length per field, and
uses "Message-Id" instead of "Message-ID":
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Intel from Joe Stewart at Secureworks.
Message-Id capitalized incorrectly, and EJXVWDA appears in the
middle of the random prefix:
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Intel from Joe Stewart at Secureworks.
First group increments over time. Last group is the IP in hex backwards.
Like so:
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Thanks again to Joe Stewart for the intel!
Any thing that hits is generated by bobax/kraken/oderoor and can be dropped.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
