New spam outbreak: mp3 spam


There is a new spam outbreak that hit today, spam in mp3’s.  The filenames of the spam varies, and includes some of the following:

  • Emotional ties, for example: dadsong.mp3, oursong.mp3, weddingsong.mp3
  • Well-known artists and songs, for example: santana.mp3, sayyousayme.mp3, smashingpumpkins.mp3, bbrown.mp3, bspears.mp3, gloriaestefan.mp3, beatles.mp3
  • Other "sounds" that people might want to listen to, for example: answeringmachine.mp3, coolringtone.mp3, listentothis.mp3

We’ve got some spam rules out there to catch these things, we’ll know in the next couple of days how effective they are.

Comments (5)

  1. All day today I've been getting German stock spam… Terry Zink's Anti-spam Blog : New spam outbreak

  2. MVPs says:

    All day today I've been getting German stock spam… Terry Zink's Anti-spam Blog : New spam outbreak

  3. Justin Mason says:

    hi Terry —

    it’s output from the Storm botnet.  These SpamAssassin 3.2.x rules catch it:

    ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

    mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio/mpeg;n name="[a-z]+.m

    p3"$/s

    mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;n filename="[a-

    z]+.mp3"$/s

    mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio/mpeg;ntname="[a-z]+.

    mp3"$/s

    mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;ntfilename=

    "[a-z]+.mp3"$/s

    meta JM_STORM_MP3      ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || (__CTYPE_STORM

    _MP3_2&&__CDISP_STORM_MP3_2))

  4. matthias says:

    Uploaded some "sample MP3-SPAM" <a href="https://www.adminlife.net/news/mp3-spam/">here</a&gt;.

    I think this MP3 SPAM will be easy to catch.