Jeff Chan writes:
> On Thursday, June 19, 2008, 7:33:44 AM, Yet Ninja wrote:
> > Guys, you're being hit with hacked web site URIs showing up in a heavy
> > spam flood. I see Uribl.com got most of them, but in case:
>
> > rawbody GMD_R_DOT_HTML /\/r\.html$/
> > describe GMD_R_DOT_HTML Possible hacked site with porntube redirect
> > score GMD_R_DOT_HTML 3.5
>
> > Note: making it an uri rule doesn't hit them all.
if you can find a case where the uri rule doesn't match but the rawbody
does, and the URL works, please open a bug!
> > enjoy
>
> It and video.exe are Storm.
yeah, I was thinking it looked familiar.
BAD_ENC_HEADER hits them all btw, on the Subject line's encoding. and
there's some interesting regularity in the Message-ID:
Message-id: <
Q0150625piByoZfn/20080611100182H+1@...>
Message-id: <
N7556814WYcmtrMl/20080611241908L+6@...>
Message-id: <
P5195955SYbtbcft/20080611128928A+5@...>
Message-id: <
P2384398XFKSgzjs/20080611992691U+3@...>
also, odd spaces:
Date: Thu, 19 Jun 2008 17:04:32 +0200
Date: Thu, 19 Jun 2008 18:03:54 +0300
Date: Thu, 19 Jun 2008 17:03:49 +0200
Date: Thu, 19 Jun 2008 10:02:50 -0500
--j.
