On 3/31/11 1:46 PM, Adam Katz wrote:
On 03/31/2011 08:59 AM, Michael Scheidell wrote:
What rules? Running `grep -Pri '\b\w?ups' rules*` ('\w?' allows for
matching '\bups') hits only one related rule, DOS_FAKE_UPS_TRACK_NUM,
which is still in testing (and keys on the word 'UPS' in the subject,
an, mine.
suggest meta rule to look for __SHIPPER && __STUPID_ATTACHMENT
__ header rule: @(ups|fedex|dhl)\.com
meta header to look for an attachment of .zip|rar|exe|
no way ups should be emailing you an exe...
not the domain).
I'm recalling DHL scams being more prevalent than UPS for a long long
time, but ymmv.
with some pretty weird received lines: is this 'ipv8'?
received:from smtp1.txfxczpw.net ([11169.98.12888.1258]) by
relay.cxjrc.com with SMTP; Thu, 31 Mar 2011 09:09:04 -0600
message-id:<2e9701cbef83$48a30ab0$6500a8c0@MERIDA>
Hah, somebody forgot an upper bound on their random number generator!
I've never seen a fake IP octet greater than the three hundreds (TV
shows sometimes use those like 555- phone numbers).
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
