[Dshield] Pump and Dump Stock lists

Joel Esler eslerj at gmail.com
Thu Feb 1 15:13:37 GMT 2007


I just made this quick procmail receipe.

:0 B:
* ^Message-Id:.*6c822ecf.*
${MAILDIR}/.spam/tmp $MAILDIR/.spam/new

And this one does a nice job of catching random spam.

:0 B:
* (casino|penis|xanax|viagra|winner|blackjack|poker|cutlery|Victorinox|Horning|free-online|handbags|bikini|fashion
police|debt|loan approval|OTCBB|Symbol\:|Symb0l|St0ck|Stock|set to
explode)
${MAILDIR}/.spam/tmp $MAILDIR/.spam/new

They potentially have false positives, although they are few and far between.

Joel


On 2/1/07, Jim Starke <jim.starke at benco.com> wrote:
> > Tony Nichols wrote:
> >
> > >>Tell your friends and fellow mail admins that "6c822ecf" is the key to
> > >>filtering much of this bullshit out... Glad it helped. It's been well
> > >>publicized, yet the Russians behind this whole thing ain't bothered to
> > >>change it. I still believe that's intentional on their part.
> >
> > >Anyone have a script I might use at my mail server (postfix 2.2.5 and
> > >procmail)? I don't know if it should be a regex or maybe adjust the
> > >existing header check....
> >
> > What about a SPAMASSASIN rule?
> >
>
> I'll pipe in, I'm in need of a "sendmail" rule?
>
> Thanks!
>
> Jim
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>


-- 
--Joel Esler
ISC Incident Handler
http://www.incidents.org


More information about the list mailing list