I've noticed a signature associated with some type of new ratware. It doesn't seem too popular yet (only a couple dozen hits per hour out of 100k messages/day). SA263 doesn't see anything wrong with the headers. The most obviously incriminating data is a forged "Received" line that includes some text about encrypted transfer. The "DES-CBC3-SHA" xfer style it mentions is apparently valid (I saw qmail examples in a google search) but the typo (below) saying "with with" is a good identifier for this particular program. I'm rejecting them with postfix header checks.
Received: from [197.178.76.58] by 24.30.7.33 with with DES-CBC3-SHA encrypted SMTP; Wed, 04 Feb 2004 06:50:01 -0600 The from/reply-to address made from this program is always a randomly generated username with a valid domain. The username seems to be 6 or more characters, often with few vowels. Here's a few examples: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I wonder if a low/med scoring rule can be created to look for usernames of 6 or more alpha only chars with large groups (4+) of back-to-back consonants? Sticking with 6 or more chars should avoid simple abbreviations like [EMAIL PROTECTED] or [EMAIL PROTECTED], but be more successful with [EMAIL PROTECTED] Anwyway, here's more header slime it generates: X-Authentication-Warning: tjgpbily- fyygvdu Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> X-Mailer: ypewybj. lbxwy I've kept one of these messages as a sample; email me for the full source if it's of interest to you. I'm pretty rough with regex/pcre so I won't be posting any rules for this any time soon. Hopefully this is of use to someone else :) --eric
