[Dshield] 1.txt emails again

Kevin kkadow at gmail.com
Tue Aug 9 02:35:32 GMT 2005


On 8/8/05, Bruce <ecarew2531 at rogers.com> wrote:
> Received 1.txt emails with executable attachments today.

Did you receive an actual executable, or a nearly empty attachment of type
application/octet-stream?

>  Many people
> believe these emails are originating from Bagle infected computers around
> the world.  I'm trying to develop a spam filter and considering a number of
> possibilities such as mime boundaries.   Are the mime boundary divisions
> consistent with these emails?  The one's I've received have a boundary
> containing:
> 
>  ousbdhimxrpjhhuwpqkl

I received two of these today, the one to gmail looked like this:
Content-Type: multipart/mixed;
        boundary="--------gxzebjtljddrwigvvwfg"

----------gxzebjtljddrwigvvwfg
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<html><body>
1<br><br>

<br>
</body></html>

----------gxzebjtljddrwigvvwfg
Content-Type: application/octet-stream; name="1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="1.txt"

ICA=ˆ

----------gxzebjtljddrwigvvwfg--


> Can this be used for a reliable spam filter signature?

Doesn't look like it unless you can use the entire HTML body as a signature,
there's not enough "meat" here to write a filter that won't return
false positives.

Kevin



More information about the list mailing list