This info popped up on the emerging-Threats list. I have watched our =20
mail servers and have confirmed that it works.

The problem is that my attempts to create Spamassin rules for it never =20
fire off. Can I get some tutelage from the list on creating rules for =20
these unique conditions:

> Message IDs randomized, but always the same length per field, and =20
> uses "Message-Id" instead of "Message-ID":
>
> Message-Id: <2873D448.788506.55260@KMYR>
> Message-Id: <0063D640.105940.14536@GEWN>
> Message-Id: <5314D726.338506.53672@HLOX>
> Message-Id: <9623D246.651813.85001@TSRC>
> Message-Id: <9323D953.439713.23300@XOZO>
> Message-Id: <5826D079.865484.96382@DPJF>
> Message-Id: <5760D504.989162.19301@MQBI>
> Message-Id: <3826D994.505082.06446@ULHA>
> Message-Id: <9198D762.152706.91872@NZOD>
> Message-Id: <9436D725.815646.21882@JECL>
>
> Intel from Joe Stewart at Secureworks.
>
> Message-Id capitalized incorrectly, and EJXVWDA appears in the =20
> middle of the random prefix:
>
> Message-Id: <1IX341EJXVWDA184@charlxxxxxxnix.com>
> Message-Id: <0IX361EJXVWDA497@thaxxxxxxxuy.com>
> Message-Id: <0IX984EJXVWDA663@bxxxe.org>
> Message-Id: <8IX467EJXVWDA672@filmxxxxxtral.net>
> Message-Id: <5IX841EJXVWDA231@stephxxxxxxld.org>
> Message-Id: <4IX479EJXVWDA351@reXxxxxght.com>
> Message-Id: <1IX151EJXVWDA438@uxxxxxt.com>
> Message-Id: <9IX545EJXVWDA558@nexxxxble.com>
>
> Intel from Joe Stewart at Secureworks.
>
> First group increments over time. Last group is the IP in hex backwards.
> Like so:
>
> Message-ID: 05b601c8992a$084895f0$1802a8c0@computername
> Message-ID: 05bd01c8992a$08608ac0$1802a8c0@computername
> Message-ID: 05cb01c8992a$087d1370$1802a8c0@computername
> Message-ID: 05e701c8992a$08a7f400$1802a8c0@computername
> Message-ID: 05d901c8992a$088ddc50$1802a8c0@computername
> Message-ID: 05e001c8992a$08902640$1802a8c0@computername
> Message-ID: 05d201c8992a$087d1370$1802a8c0@computername
> Message-ID: 060a01c8992a$09de0300$1802a8c0@computername
> Message-ID: 061101c8992a$09f5d0c0$1802a8c0@computername
> Message-ID: 061801c8992a$0a0d9e80$1802a8c0@computername
>
> Thanks again to Joe Stewart for the intel!




Any thing that hits is generated by bobax/kraken/oderoor and can be dropped.

jp
--=20
Framework? I don't need no steenking framework!

----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate =20
http://www.afferentsecurity.com