Starting about two hours ago, about 40% of my real-time
honeypot spam is a new malware campaign. About a third are
hitting "BAYES_00", with about 10% of all having negative SA
scores. :(
Full spample (with munged email addresses):
http://puffin.net/software/spam/samples/0040_mal_tgz.txt
That's not a valuable honeypot address, so I've left everything
else as-is, including the Message-ID.
So far, all of these have the _EXACT_ same Message-ID, From,
and Reply-To. I expect all to change, but they may be useful
for quick block rules. The From account is "FSPRD" and the
>From base domain is "covance".
The filenames are all the same length, pure numeric with three
leading zeroes. Here's a few examples:
0006449538.tgz
0007184777.tgz
0008205464.tgz
0007565676.tgz
0008113861.tgz
0001457696.tgz
0007535057.tgz
0008403752.tgz
0009470013.tgz
I'm blocking these by file extension (both ".tgz" and ".gz" to
be extra cautious).
A couple of years ago, I added a "mime prefix" rule to my post-SA
filter, and have added rules using that, in case the spammers try
the old trick of asking victims to rename the file.
I tried opening a benign ".gz" in Windows7, and it didn't
recognize it, but other versions may. These may be targeting
other platforms (e.g. I recently learned that Chrome OS has native
support for "rar" extraction, which may explain the recent rise of
rar javascript email malware).
I've only taken a quick look at the payload. It's javascript, but
definitely different from past campaigns.
I've been seeing a high level of "calibration" spam for over a
week, so I suspect this is a new botnet going live. :(
- "Chip"
