[Dshield] Pump and Dump Stock lists

Joel Esler eslerj at gmail.com
Thu Feb 1 15:15:05 GMT 2007


CORRECTION:

:0 B:
* ^Message-Id:.*6c822ecf.*
${MAILDIR}/.spam/tmp $MAILDIR/.spam/new

Should be

:0 H:
* ^Message-Id:.*6c822ecf.*
${MAILDIR}/.spam/tmp $MAILDIR/.spam/new

My bad.

On 2/1/07, Joel Esler <eslerj at gmail.com> wrote:
> I just made this quick procmail receipe.
>
> :0 B:
> * ^Message-Id:.*6c822ecf.*
> ${MAILDIR}/.spam/tmp $MAILDIR/.spam/new
>
> And this one does a nice job of catching random spam.
>
> :0 B:
> * (casino|penis|xanax|viagra|winner|blackjack|poker|cutlery|Victorinox|Horning|free-online|handbags|bikini|fashion
> police|debt|loan approval|OTCBB|Symbol\:|Symb0l|St0ck|Stock|set to
> explode)
> ${MAILDIR}/.spam/tmp $MAILDIR/.spam/new
>
> They potentially have false positives, although they are few and far between.
>
> Joel
>
>
> On 2/1/07, Jim Starke <jim.starke at benco.com> wrote:
> > > Tony Nichols wrote:
> > >
> > > >>Tell your friends and fellow mail admins that "6c822ecf" is the key to
> > > >>filtering much of this bullshit out... Glad it helped. It's been well
> > > >>publicized, yet the Russians behind this whole thing ain't bothered to
> > > >>change it. I still believe that's intentional on their part.
> > >
> > > >Anyone have a script I might use at my mail server (postfix 2.2.5 and
> > > >procmail)? I don't know if it should be a regex or maybe adjust the
> > > >existing header check....
> > >
> > > What about a SPAMASSASIN rule?
> > >
> >
> > I'll pipe in, I'm in need of a "sendmail" rule?
> >
> > Thanks!
> >
> > Jim
> >
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> > taught by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
>
>
> --
> --Joel Esler
> ISC Incident Handler
> http://www.incidents.org
>


-- 
--Joel Esler
ISC Incident Handler
http://www.incidents.org


More information about the list mailing list