Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Postini Spam Filter SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Postini Spam Filter
Reader David wrote to us with this comment and request:

We use Postini for SPAM and email filtering, and they've had a weird attack today. Emails are coming through from random sources, with TORA.OB written out in number characters.  I googled TORA.OB and found a company on the stock exchange using that name.  Just wondering if anyone else has seen this? Just a little unusual I think. Nothing else in it (ie no exploits, binary data, etc)

Anybody else seeing similar spam runs getting through Postini?  Let us know via the contact form.

UPDATE #1
Many readers are telling us that they've seen these spam messages today, so we've confirmed that they exist.  No need to write in and send us more samples.  Our cup runneth over...

Reader Conrad told us this:

Postini subscribers can email spam -at- postini.com with sample spam messages. This will enable Postini to adjust their filters to keep this sort of spam out.

Thanks, Conrad!

UPDATE #2
At the risk of drawing attention to this stock, handler Deb pointed me to a stock page where you can see the pump and dump scheme as it happens.  Looks like the value is already going down, so  no need to buy anymore.

UPDATE #3
We have multiple confirmations that the spam made it through many different spam filters in addition to Postini.  This is a typical pump-n-dump stock scheme just like the image-based spam that we are all so tired of.  If it feels like you've seen a dramatic rise in this category of spam over the past few weeks you are not alone.  eWeek has a pretty good article about it, and there's a lively debate about it over on Slashdot.

A reader gave us some ideas on how this type of spam might be blocked.  We have not tried this filter but offer it to the community for your consideration.

The following procmail recipe should catch the 'thin-line' ones:

    :0
    * ^Message-Id: <............\$........\$00000000\@

And the following should catch the 'fat-line' ones:

    :0
    * < 10000
    * ^Content-type: text/plain;
    * -100^0
    *     2^0 B [ ][0-9][0-9][0-9][0-9][0-9][ ]
    *     3^0 B [ ][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]

Thanks again to everybody who sent in samples and comments!

Marcus H. Sachs
SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!