[Dshield] 1.txt emails again

Kevin kkadow at gmail.com
Tue Aug 9 02:35:32 GMT 2005

On 8/8/05, Bruce <ecarew2531 at rogers.com> wrote:
> Received 1.txt emails with executable attachments today.

Did you receive an actual executable, or a nearly empty attachment of type

>  Many people
> believe these emails are originating from Bagle infected computers around
> the world.  I'm trying to develop a spam filter and considering a number of
> possibilities such as mime boundaries.   Are the mime boundary divisions
> consistent with these emails?  The one's I've received have a boundary
> containing:
>  ousbdhimxrpjhhuwpqkl

I received two of these today, the one to gmail looked like this:
Content-Type: multipart/mixed;

Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit



Content-Type: application/octet-stream; name="1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="1.txt"



> Can this be used for a reliable spam filter signature?

Doesn't look like it unless you can use the entire HTML body as a signature,
there's not enough "meat" here to write a filter that won't return
false positives.


More information about the list mailing list