zip only spam

Vlad Mazek v at vladville.com
Sat Aug 4 05:18:31 IST 2007 

Actually, they are showing up under random dictionary names names, here are
just a few:
Cheque.zip
Complaint.zip
Data.zip
log.zip

-Vlad

On 7/31/07, Matt Kettler <mkettler at evi-inc.com> wrote:
>
> Leland J. Steinke wrote:
> > Rob Freeman wrote:
> >> I see instead of using pdf spam, they have switched to zip spam.  I
> >> have a rule to block the pdf only spam, but when I changed it to zip,
> >> it is not working:
> >>
> >> # ZIP only spam
> >> full     ZIP_ONLY_SPAM
> >>
> /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/zip\;.{1,40}name\=.{1,40}\.zip.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.zip/is
> >
> >
> > s/zip/octet-stream/
> >
> > Also, these are RAR files.  I updated my filetype.rules.conf to block
> > 'em, after jacking up the spam score to get the sending IPs blocked as
> > well.
>
> I'm blocking them in filename.rules.conf, the zipfile names are the same
> generic
> ones used by the old Beagle/Bagel worms.. The rules I had in place forever
> ago
> appear to be covering it just fine.
>
> deny    ^msg\.zip$              Beagle.H worm          Beagle.H worm
> deny    ^moreinfo\.zip$ Beagle.H worm           Beagle.H worm
> deny    ^attachedfile\.zip$     Beagle.H worm   Beagle.H worm
> deny    ^TextDocument\.zip$     Beagle.H worm   Beagle.H worm
> deny    ^Readme\.zip$   Beagle.H worm   Beagle.H worm
> deny    ^Msginfo\.zip$  Beagle.H worm   Beagle.H worm
> deny    ^Document\.zip$ Beagle.H worm   Beagle.H worm
> deny    ^Info\.zip$     Beagle.H worm   Beagle.H worm
> deny    ^Attacheddocument\.zip$ Beagle.H worm   Beagle.H worm
> deny    ^Text\.zip$     Beagle.H worm   Beagle.H worm
> deny    ^TextFile\.zip$ Beagle.H worm   Beagle.H worm
> deny    ^Letter\.zip$   Beagle.H worm   Beagle.H worm
> deny    ^MoreInfo\.zip$ Beagle.H worm   Beagle.H worm
> deny    ^Message\.zip$  Beagle.H worm   Beagle.H worm
> deny    ^Attach\.zip$   Beagle.K worm   Beagle.K worm
> deny    ^Information\.zip$      Beagle.K worm   Beagle.K worm
>
>
> Also, spamassassin is tearing them up, mostly on RBLs:
>
> X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=10.811, required 5,
>         BAYES_99 3.50, INFO_GREYLIST_DELAYED 0.40,
>         RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46,
>         RCVD_IN_XBL 3.90)
>
> X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.311, required 5,
>         BAYES_99 3.50, DCC_CHECK 1.50, INFO_GREYLIST_DELAYED 0.40,
>         RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46,
>         RCVD_IN_XBL 3.90)
>
> (note: INFO_GREYLIST_DELAYED is a local rule, and points out the message
> was
> delayed by my milter-greylist config)
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
-Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070804/c355b286/attachment.html

More information about the MailScanner mailing list