On Friday, July 22, 2005, 6:53:57 PM, Andrew wrote: CA> My email server has received about 200 of a certain message since 8:30 CA> AM PDT.
CA> The Subject line is merely "1", the forged mailfrom is approximately the CA> first 8 characters of the target address plus a forged domain. There is CA> an attachment called "1.txt" and a message text body that begins on a CA> new line "ICA=" plus three characters, the first one of which may be CA> low-bit ASCII and the second two are high-bit. CA> The sources include zombie networks, normal mail servers, and bounced CA> messages from normal servers. CA> I've sent a bunch of samples to the usual spam@ address and thought I'd CA> make a more general posting here. My guess is that it's a new worm, and CA> that it's broken. CA> Incidentally, I don't think this is related to a current spam campaign CA> in which the Subject: line includes a number inside of square brackets. CA> I just thought I'd head off that distraction. I'm on updates this evening. I'll watch for this. It sounds like something that requires an abstract rule --- probably not enough content for the other coders to try it safely... I am surprized I didn't hear about it though... Please send me another note with a few of these as attachments (even better if they are raw files from your mail queue - that way there will be no re-coding by any mail clients) -- send to our support@ address. If they get through then that means we're not filtering them yet -- I'll use them as examples and will try to code a complex rule that's safe. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
