[Snort-sigs] Low hanging fruit - inforet

James Lay jlay at ...3266...
Wed Aug 29 16:55:56 EDT 2012


On 2012-08-29 14:06, Joel Esler wrote:
> Looking into this now.  Thanks James.
>
> On Aug 29, 2012, at 3:47 PM, James Lay <jlay at ...3266...> 
> wrote:
>
>> On 2012-08-29 13:34, lists at ...3397... wrote:
>>> On 08/29/12 14:27, James Lay wrote:
>>>> Pretty sure these will change to something else over time.  Maybe
>>>> useful, maybe not :)
>>>
>>> This is associated with a Blackhole mailing campaign purporting to
>>> originate
>>> from IRS (typical); I starting seeing this on the 27th, IMHO I'm 
>>> not
>>> sure it's
>>> worth inclusion because it changes on a per-campaign basis
>>> (photo.htm,
>>> upload.htm, inforet.html, etc etc)
>>>
>>> I saw it with hxxp://metrotienda.netai.net/inforet.html
>>>
>>> Respectfully,
>>> Nathan
>>
>> Yea...kinda figured but thought I'd chuck it out there :)  Thanks
>> Nathan.
>>
>> James


Good deal...thanks Joel.  Additionally, threats that usually come in 
via email (latest one I saw was the whole eFax thing) I've been taking 
and adding to monitor port 25 since that's the initial point of entry.  
It's dicey due to the probability of FP's (I've had only a couple) but 
is extremely nice to pinpoint the the root cause.  Just a couple pennies 
:)

James







More information about the Snort-sigs mailing list