[Dshield] Pump and Dump Stock lists

Boy, Gary gboy at installed.net
Mon Jan 29 23:05:34 GMT 2007


This little gem caught about 300 of the nasty little buggers in about
eight hours.  Thank you very much.

gb

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Shaun
Sent: Friday, January 26, 2007 3:55 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Pump and Dump Stock lists

On Fri, 26 Jan 2007 13:37:31 -0600
"Shawn Cox" <shawn.cox at pcca.com> wrote:

> The PnD stock spams are by far my worst offenders.  I have most all of

> the drug and enhancement spam under control, but these stock scams I 
> just can't get a hold on.

Try blocking when the message-id contains 6c822ecf and you'll catch a
lot of them. The zombie responsible for much of the stock spam has that
string hard coded in the message-id header, and while there seem to have
been several "generations" of the zombie where other characteristics of
the spams have changed, the author has not changed or removed that
string. 

I have a theory that it's there intentionally with hopes that savvy mail
admins will just filter the shit out rather than try to put a stop to
it, and I must admit that's exactly what I've done.

I was thinking of creating an SA rule file with the last few days' worth
of pump 'n dump stock tickers, but I doubt I'd have the time to maintain
it. Good luck if you start something similar, though, it would be
useful.

-s
_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught
by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)




More information about the list mailing list