alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008122; rev:3;)

Added 2008-04-29 17:42:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008122; rev:3;)

Added 2008-04-29 17:42:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008122; rev:2;)

Added 2008-04-14 14:06:45 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008122; rev:2;)

Added 2008-04-14 14:06:45 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; classtype:misc-activity; sid:2008122; rev:1;)

Added 2008-04-09 11:59:48 UTC

Message-Id capitalized incorrectly, and EJXVWDA appears in the middle of the random prefix:

Message-Id: <1IX341EJXVWDA184@charlxxxxxxnix.com>
Message-Id: <0IX361EJXVWDA497@thaxxxxxxxuy.com>
Message-Id: <0IX984EJXVWDA663@bxxxe.org>
Message-Id: <8IX467EJXVWDA672@filmxxxxxtral.net>
Message-Id: <5IX841EJXVWDA231@stephxxxxxxld.org>
Message-Id: <4IX479EJXVWDA351@reXxxxxght.com>
Message-Id: <1IX151EJXVWDA438@uxxxxxt.com>
Message-Id: <9IX545EJXVWDA558@nexxxxble.com>

Intel from Joe Stewart. Many Thanks!!

-- MattJonkman - 09 Apr 2008


Topic revision: r2 - 2008-04-09 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats