[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody
Joseph Brennan
brennan at columbia.edu
Tue Jun 6 12:05:11 EDT 2006
--On Tuesday, June 6, 2006 10:31 AM -0500 "Damrose, Mark"
<mdamrose at elgin.edu> wrote:
> header __NUMBER3 Message-ID =~ /\<[a-z]{19}\@example.com\>/
I was wondering why we didn't see any! I put in effectively the same
thing in Mimedefang a long time ago. Bagle built Message-ID this same
way and we could swat them away without analyzing the body. This:
if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/) {
md_graphdefang_log('virus','Bagle',$RelayAddr);
action_bounce("You are not columbia.edu");
return action_discard();
}
It's definitely a bot net. At the moment it is working its way through
our users in alphabetical order in three series, addresses starting with
'c', 'e', and 'y'. Although each host sends to no more than 5 recipients,
an overall alphabetical order is maintained in each series showing that
there are three controllers somewhere working through alphabetical lists
and feeding them to bots they control.
They also hit us with no more than 3 per minute. This and the very
distributed bot net are probably evasive actions.
Out of 1,753 messages there are only five unique subjects:
1545453
455
557
57657
586876
These do not correspond to the three alphabetical series. Each one is
using '557' for some messages, for example.
Joe Brennan
More information about the MIMEDefang
mailing list