|
Written by Matt Jonkman
|
|
Wednesday, 09 April 2008 |
Some great intelligence from Joe Stewart at Secureworks . Seems that the Bobax spam has some very unique and sig'able message-id fields.
If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.
In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; classtype:misc-activity; sid:2008121; rev:1;)
Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually a domain name.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; classtype:misc-activity; sid:2008122; rev:1;)
These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future.
|
