[Dshield] Pump and Dump Stock lists

Shawn Cox shawn.cox at pcca.com
Fri Jan 26 22:13:54 GMT 2007

Further digging this afternoon netted me this site which has an RSS feed.


I'll try that string, I'm grepping my message logs now looking for hits on


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Shaun
Sent: Friday, January 26, 2007 2:55 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Pump and Dump Stock lists

On Fri, 26 Jan 2007 13:37:31 -0600
"Shawn Cox" <shawn.cox at pcca.com> wrote:

> The PnD stock spams are by far my worst offenders.  I have most all of the
> drug and enhancement spam under control, but these stock scams I just
> get a hold on.

Try blocking when the message-id contains 6c822ecf and you'll catch a
lot of them. The zombie responsible for much of the stock spam has that
string hard coded in the message-id header, and while there seem to have
been several "generations" of the zombie where other characteristics of
the spams have changed, the author has not changed or removed that

I have a theory that it's there intentionally with hopes that savvy mail
admins will just filter the shit out rather than try to put a stop to it,
and I must admit that's exactly what I've done.

I was thinking of creating an SA rule file with the last few days' worth
of pump 'n dump stock tickers, but I doubt I'd have the time to maintain
it. Good luck if you start something similar, though, it would be useful.


SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list