--On Tuesday, June 6, 2006 10:31 AM -0500 "Damrose, Mark"
<[EMAIL PROTECTED]> wrote:
header __NUMBER3 Message-ID =~ /\<[EMAIL PROTECTED]>/
I was wondering why we didn't see any! I put in effectively the same
thing in Mimedefang a long time ago. Bagle built Message-ID this same
way and we could swat them away without analyzing the body. This:
if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/) {
md_graphdefang_log('virus','Bagle',$RelayAddr);
action_bounce("You are not columbia.edu");
return action_discard();
}
It's definitely a bot net. At the moment it is working its way through
our users in alphabetical order in three series, addresses starting with
'c', 'e', and 'y'. Although each host sends to no more than 5 recipients,
an overall alphabetical order is maintained in each series showing that
there are three controllers somewhere working through alphabetical lists
and feeding them to bots they control.
They also hit us with no more than 3 per minute. This and the very
distributed bot net are probably evasive actions.
Out of 1,753 messages there are only five unique subjects:
1545453
455
557
57657
586876
These do not correspond to the three alphabetical series. Each one is
using '557' for some messages, for example.
Joe Brennan
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
