[Dshield] 1.txt emails again
kkadow at gmail.com
Tue Aug 9 02:35:32 GMT 2005
On 8/8/05, Bruce <ecarew2531 at rogers.com> wrote:
> Received 1.txt emails with executable attachments today.
Did you receive an actual executable, or a nearly empty attachment of type
> Many people
> believe these emails are originating from Bagle infected computers around
> the world. I'm trying to develop a spam filter and considering a number of
> possibilities such as mime boundaries. Are the mime boundary divisions
> consistent with these emails? The one's I've received have a boundary
I received two of these today, the one to gmail looked like this:
Content-Type: text/html; charset="us-ascii"
Content-Type: application/octet-stream; name="1.txt"
Content-Disposition: attachment; filename="1.txt"
> Can this be used for a reliable spam filter signature?
Doesn't look like it unless you can use the entire HTML body as a signature,
there's not enough "meat" here to write a filter that won't return
More information about the list