[Dshield] Pump and Dump Stock lists

Shaun shaun at shaunc.com
Fri Jan 26 20:55:18 GMT 2007


On Fri, 26 Jan 2007 13:37:31 -0600
"Shawn Cox" <shawn.cox at pcca.com> wrote:

> The PnD stock spams are by far my worst offenders.  I have most all of the
> drug and enhancement spam under control, but these stock scams I just can't
> get a hold on.

Try blocking when the message-id contains 6c822ecf and you'll catch a
lot of them. The zombie responsible for much of the stock spam has that
string hard coded in the message-id header, and while there seem to have
been several "generations" of the zombie where other characteristics of
the spams have changed, the author has not changed or removed that
string. 

I have a theory that it's there intentionally with hopes that savvy mail
admins will just filter the shit out rather than try to put a stop to it,
and I must admit that's exactly what I've done.

I was thinking of creating an SA rule file with the last few days' worth
of pump 'n dump stock tickers, but I doubt I'd have the time to maintain
it. Good luck if you start something similar, though, it would be useful.

-s


More information about the list mailing list