Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Stock Quote Spam

Hi,

I'm having an issue with a particular spam email. It never comes from the same domain, but always include a .gif file with a stock quote attached. I looked at the internet header to try and find something unique to base a custom signature. Here is the only thing I could find:

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0011_01C755CC.37E9B160"

What would be the best way to resolve this issue? Thanks

I also attached the .gif file

1 REPLY
Gold

Re: Stock Quote Spam

Is the boundary always the same? I think the mime boundary can be anything, so if the spammer is using the same boundary value...that would be a good thing to look for and block on. The rest is pretty normal. You could certainly block on the gif if it's always the same too(either in name or content).

Go into the IPS MC (GUI on the sensor) and select the 'signature configuration'. In the 'Select By' combobox enter 'Sig Name'. Then in the 'enter sig name' text box enter 'attach' and press find. There are some good examples of how to block email with certain attachments/content.

150
Views
0
Helpful
1
Replies