Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
1
Replies

Stock Quote Spam

rrutledge
Level 1
Level 1

‎02-27-2007 07:08 AM - edited ‎03-10-2019 03:29 AM

Hi,

I'm having an issue with a particular spam email. It never comes from the same domain, but always include a .gif file with a stock quote attached. I looked at the internet header to try and find something unique to base a custom signature. Here is the only thing I could find:

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0011_01C755CC.37E9B160"

What would be the best way to resolve this issue? Thanks

I also attached the .gif file

Labels:
Preview file
13 KB
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎02-27-2007 08:53 AM

Is the boundary always the same? I think the mime boundary can be anything, so if the spammer is using the same boundary value...that would be a good thing to look for and block on. The rest is pretty normal. You could certainly block on the gif if it's always the same too(either in name or content).

Go into the IPS MC (GUI on the sensor) and select the 'signature configuration'. In the 'Select By' combobox enter 'Sig Name'. Then in the 'enter sig name' text box enter 'attach' and press find. There are some good examples of how to block email with certain attachments/content.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card