Welcome to MSDN Blogs Sign in | Join | Help

Terry Zink's Anti-spam Blog

Protecting your mail from the scum of the internet
New spam outbreak: mp3 spam

There is a new spam outbreak that hit today, spam in mp3's.  The filenames of the spam varies, and includes some of the following:

  • Emotional ties, for example: dadsong.mp3, oursong.mp3, weddingsong.mp3
  • Well-known artists and songs, for example: santana.mp3, sayyousayme.mp3, smashingpumpkins.mp3, bbrown.mp3, bspears.mp3, gloriaestefan.mp3, beatles.mp3
  • Other "sounds" that people might want to listen to, for example: answeringmachine.mp3, coolringtone.mp3, listentothis.mp3

We've got some spam rules out there to catch these things, we'll know in the next couple of days how effective they are.

Posted: Thursday, October 18, 2007 5:10 PM by tzink
Filed under:

Comments

Techy News Blog » Blog Archive » New spam outbreak: mp3 spam said:

PingBack from http://www.artofbam.com/wordpress/?p=10329

# October 18, 2007 6:24 PM

E-Bitz - SBS MVP the Official Blog of the SBS "Diva" said:

All day today I've been getting German stock spam... Terry Zink's Anti-spam Blog : New spam outbreak

# October 18, 2007 8:40 PM

MVPs said:

All day today I've been getting German stock spam... Terry Zink's Anti-spam Blog : New spam outbreak

# October 18, 2007 10:38 PM

Justin Mason said:

hi Terry --

it's output from the Storm botnet.  These SpamAssassin 3.2.x rules catch it:

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\"[a-z]+\.m

p3\"$/s

mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\"[a-

z]+\.mp3\"$/s

mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\"[a-z]+\.

mp3\"$/s

mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=

\"[a-z]+\.mp3\"$/s

meta JM_STORM_MP3      ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || (__CTYPE_STORM

_MP3_2&&__CDISP_STORM_MP3_2))

# October 19, 2007 6:39 AM

matthias said:

Uploaded some "sample MP3-SPAM" <a href="https://www.adminlife.net/news/mp3-spam/">here</a>.

I think this MP3 SPAM will be easy to catch.

# October 19, 2007 3:24 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker