Stock Quote Spam

Unanswered Question
Feb 27th, 2007

Hi,

I'm having an issue with a particular spam email. It never comes from the same domain, but always include a .gif file with a stock quote attached. I looked at the internet header to try and find something unique to base a custom signature. Here is the only thing I could find:

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0011_01C755CC.37E9B160"

What would be the best way to resolve this issue? Thanks

I also attached the .gif file

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Tue, 02/27/2007 - 08:53

Is the boundary always the same? I think the mime boundary can be anything, so if the spammer is using the same boundary value...that would be a good thing to look for and block on. The rest is pretty normal. You could certainly block on the gif if it's always the same too(either in name or content).

Go into the IPS MC (GUI on the sensor) and select the 'signature configuration'. In the 'Select By' combobox enter 'Sig Name'. Then in the 'enter sig name' text box enter 'attach' and press find. There are some good examples of how to block email with certain attachments/content.

Actions

This Discussion