[Dshield] Pump and Dump Stock lists

BOYD S. (SPENCE) MINER k4kep at backroads.net
Tue Jan 30 15:20:01 GMT 2007


Why not take the time to forward those to enforcement at sec.gov,
enforcement at cftc.gov, isfeedback at nasdaq.com, spam at uce.gov.

The SEC has been able to make some real solid cases lately. Help them out.

73
SPENCE

Subject:
Re: [Dshield] Pump and Dump Stock lists
From:
"Boy, Gary" <gboy at installed.net>
Date:
Mon, 29 Jan 2007 18:05:34 -0500
To:
"General DShield Discussion List" <list at lists.dshield.org>
Content-Transfer-Encoding:
8bit
Precedence:
list
References:
<012501c74181$6b6d72b0$5701050a at pcca.com> <20070126145514.18A5.SHAUN at shaunc.com>
Reply-To:
General DShield Discussion List <list at lists.dshield.org>
Message-ID:
<C57A8E6DE317DE4A8BA8BB76DC9E166803F6DAE2 at ibpexch1>
Content-Type:
text/plain; charset="us-ascii"
MIME-Version:
1.0
Message:
8

This little gem caught about 300 of the nasty little buggers in about
eight hours.  Thank you very much.

gb

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Shaun
Sent: Friday, January 26, 2007 3:55 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Pump and Dump Stock lists

On Fri, 26 Jan 2007 13:37:31 -0600
"Shawn Cox" <shawn.cox at pcca.com> wrote:

> > The PnD stock spams are by far my worst offenders.  I have most all of

> > the drug and enhancement spam under control, but these stock scams I
> > just can't get a hold on.

Try blocking when the message-id contains 6c822ecf and you'll catch a
lot of them. The zombie responsible for much of the stock spam has that
string hard coded in the message-id header, and while there seem to have
been several "generations" of the zombie where other characteristics of
the spams have changed, the author has not changed or removed that
string.

I have a theory that it's there intentionally with hopes that savvy mail
admins will just filter the shit out rather than try to put a stop to
it, and I must admit that's exactly what I've done.

I was thinking of creating an SA rule file with the last few days' worth
of pump 'n dump stock tickers, but I doubt I'd have the time to maintain
it. Good luck if you start something similar, though, it would be
useful.

-s
_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught
by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)







More information about the list mailing list