alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008121; rev:3;)

Added 2008-04-29 17:42:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008121; rev:3;)

Added 2008-04-29 17:42:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008121; rev:2;)

Added 2008-04-14 14:06:45 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008121; rev:2;)

Added 2008-04-14 14:06:45 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; classtype:misc-activity; sid:2008121; rev:1;)

Added 2008-04-09 11:59:48 UTC

Message IDs randomized, but always the same length per field, and uses "Message-Id" instead of "Message-ID":

Message-Id: <2873D448.788506.55260@KMYR>
Message-Id: <0063D640.105940.14536@GEWN>
Message-Id: <5314D726.338506.53672@HLOX>
Message-Id: <9623D246.651813.85001@TSRC>
Message-Id: <9323D953.439713.23300@XOZO>
Message-Id: <5826D079.865484.96382@DPJF>
Message-Id: <5760D504.989162.19301@MQBI>
Message-Id: <3826D994.505082.06446@ULHA>
Message-Id: <9198D762.152706.91872@NZOD>
Message-Id: <9436D725.815646.21882@JECL>

Intel from Joe Stewart, many thanks!

-- MattJonkman - 09 Apr 2008


Topic revision: r2 - 2008-04-09 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats