I'm having an issue with a particular spam email. It never comes from the same domain, but always include a .gif file with a stock quote attached. I looked at the internet header to try and find something unique to base a custom signature. Here is the only thing I could find:
Is the boundary always the same? I think the mime boundary can be anything, so if the spammer is using the same boundary value...that would be a good thing to look for and block on. The rest is pretty normal. You could certainly block on the gif if it's always the same too(either in name or content).
Go into the IPS MC (GUI on the sensor) and select the 'signature configuration'. In the 'Select By' combobox enter 'Sig Name'. Then in the 'enter sig name' text box enter 'attach' and press find. There are some good examples of how to block email with certain attachments/content.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...