I've noticed a signature associated with some type of new ratware. It
doesn't seem too popular yet (only a couple dozen hits per hour out of 100k
messages/day). SA263 doesn't see anything wrong with the headers. The most
obviously incriminating data is a forged "Received" line that includes some
text about encrypted transfer. The "DES-CBC3-SHA" xfer style it mentions is
apparently valid (I saw qmail examples in a google search) but the typo
(below) saying "with with" is a good identifier for this particular program.
I'm rejecting them with postfix header checks.
Received: from [197.178.76.58] by 24.30.7.33 with with DES-CBC3-SHA
encrypted SMTP; Wed, 04 Feb 2004 06:50:01 -0600
The from/reply-to address made from this program is always a randomly
generated username with a valid domain. The username seems to be 6 or more
characters, often with few vowels. Here's a few examples:
fcslpwdwdt@hot-shot.com
zndewbdsvkq@mindless.com
rciquxgzxld@berlin.com
squugenpt@africamail.com
rrycxykfoqdbwn@hairdresser.net
zmdpiozerqwtp@australiamail.com
xymbkhm@accountant.com
I wonder if a low/med scoring rule can be created to look for usernames of 6
or more alpha only chars with large groups (4+) of back-to-back consonants?
Sticking with 6 or more chars should avoid simple abbreviations like
qts@domain.com or dprc@otherdomain.com, but be more successful with
xymbkhm@accountant.com.
Anwyway, here's more header slime it generates:
X-Authentication-Warning: tjgpbily- fyygvdu
Message-ID: <13025300696510.2067012045547397869255@wgyfkgayv>
References: <138671429130718184835@ajbttxpl>
In-Reply-To: <138671429130718184835@ajbttxpl>
X-Mailer: ypewybj. lbxwy
I've kept one of these messages as a sample; email me for the full source if
it's of interest to you. I'm pretty rough with regex/pcre so I won't be
posting any rules for this any time soon. Hopefully this is of use to
someone else :)
--eric
doesn't seem too popular yet (only a couple dozen hits per hour out of 100k
messages/day). SA263 doesn't see anything wrong with the headers. The most
obviously incriminating data is a forged "Received" line that includes some
text about encrypted transfer. The "DES-CBC3-SHA" xfer style it mentions is
apparently valid (I saw qmail examples in a google search) but the typo
(below) saying "with with" is a good identifier for this particular program.
I'm rejecting them with postfix header checks.
Received: from [197.178.76.58] by 24.30.7.33 with with DES-CBC3-SHA
encrypted SMTP; Wed, 04 Feb 2004 06:50:01 -0600
The from/reply-to address made from this program is always a randomly
generated username with a valid domain. The username seems to be 6 or more
characters, often with few vowels. Here's a few examples:
fcslpwdwdt@hot-shot.com
zndewbdsvkq@mindless.com
rciquxgzxld@berlin.com
squugenpt@africamail.com
rrycxykfoqdbwn@hairdresser.net
zmdpiozerqwtp@australiamail.com
xymbkhm@accountant.com
I wonder if a low/med scoring rule can be created to look for usernames of 6
or more alpha only chars with large groups (4+) of back-to-back consonants?
Sticking with 6 or more chars should avoid simple abbreviations like
qts@domain.com or dprc@otherdomain.com, but be more successful with
xymbkhm@accountant.com.
Anwyway, here's more header slime it generates:
X-Authentication-Warning: tjgpbily- fyygvdu
Message-ID: <13025300696510.2067012045547397869255@wgyfkgayv>
References: <138671429130718184835@ajbttxpl>
In-Reply-To: <138671429130718184835@ajbttxpl>
X-Mailer: ypewybj. lbxwy
I've kept one of these messages as a sample; email me for the full source if
it's of interest to you. I'm pretty rough with regex/pcre so I won't be
posting any rules for this any time soon. Hopefully this is of use to
someone else :)
--eric