[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and body
Kevin A. McGrail
kmcgrail at pccc.com
Tue Jun 6 10:08:56 EDT 2006
Hi Skip:
Yes, others are seeing them sporadically across several servers. It's been
in discussion mildly on the MIMEDefang list since yesterday evening.
I have inklings they are hotline virus related from one of the email
subjects I got but I have not been able to substantiate that yet.
I haven't seen any unmolested emails (ok I got one and deleted it :-( bad
me) so it's hard to write a rule for it but something like this would be a
start:
#KAM NUMBER EMAILS
header __KAM_NUMBER1 Subject =~ /\d*/i
body __KAM_NUMBER2 /\d{1,6}/
meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2) >= 2)
describe KAM_NUMBER Silly Number Emails
score KAM_NUMBER 0.1
Regards,
KAM
> Beginning yesterday, we began to receive spam email from a number of
> sources spoofing as our own users. The email will appear as though it
> is both from and to the same recipient. The subject will be 3 digits
> (i.e. 557) and the body 4 digits (i.e. 5567). I've found 5 users over
> the last two days and one who indicated he received one on his personal
> account at his home.
>
> Is anyone else seeing these? How can I proceed to block them? Thanks.
More information about the MIMEDefang
mailing list