alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Bobax Spam Inbound (Unique Faked Message-ID and no brackets)"; flow:established,to_server; content:"Message-Id\: "; pcre:"/Message-Id\: [a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{7}/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008125; rev:3;)

Added 2008-04-29 17:42:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Bobax Spam Inbound (Unique Faked Message-ID and no brackets)"; flow:established,to_server; content:"Message-Id\: "; pcre:"/Message-Id\: [a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{7}/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008125; rev:3;)

Added 2008-04-29 17:42:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)"; flow:established,to_server; content:"Message-Id\: "; pcre:"/Message-Id\: [a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{7}/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008125; rev:2;)

Added 2008-04-14 14:06:45 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)"; flow:established,to_server; content:"Message-Id\: "; pcre:"/Message-Id\: [a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{7}/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2008125; rev:2;)

Added 2008-04-14 14:06:45 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)"; flow:established,to_server; content:"Message-Id\: "; pcre:"/Message-Id\: [a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{7}/"; classtype:misc-activity; sid:2008125; rev:1;)

Added 2008-04-09 12:31:09 UTC

Like so:

Message-ID: 05b601c8992a$084895f0$1802a8c0@computername
Message-ID: 05bd01c8992a$08608ac0$1802a8c0@computername
Message-ID: 05cb01c8992a$087d1370$1802a8c0@computername
Message-ID: 05e701c8992a$08a7f400$1802a8c0@computername
Message-ID: 05d901c8992a$088ddc50$1802a8c0@computername
Message-ID: 05e001c8992a$08902640$1802a8c0@computername
Message-ID: 05d201c8992a$087d1370$1802a8c0@computername
Message-ID: 060a01c8992a$09de0300$1802a8c0@computername
Message-ID: 061101c8992a$09f5d0c0$1802a8c0@computername
Message-ID: 061801c8992a$0a0d9e80$1802a8c0@computername

First group increments over time. Last group is the IP in hex backwards.

Thanks again to Joe Stewart for the intel!

-- MattJonkman - 09 Apr 2008


Topic revision: r2 - 2008-04-09 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats