Re: Low hanging fruit - inforet

[James Lay <jlay () slave-tothe-box net>]

On 2012-08-29 14:06, Joel Esler wrote:
> Looking into this now.  Thanks James.
>
> On Aug 29, 2012, at 3:47 PM, James Lay <jlay () slave-tothe-box net> 
> wrote:
>
> > On 2012-08-29 13:34, lists () packetmail net wrote:
> > > On 08/29/12 14:27, James Lay wrote:
> > > > Pretty sure these will change to something else over time.  Maybe
> > > > useful, maybe not :)
> > >
> > > This is associated with a Blackhole mailing campaign purporting to
> > > originate
> > > from IRS (typical); I starting seeing this on the 27th, IMHO I'm 
> > > not
> > > sure it's
> > > worth inclusion because it changes on a per-campaign basis
> > > (photo.htm,
> > > upload.htm, inforet.html, etc etc)
> > >
> > > I saw it with hxxp://metrotienda.netai.net/inforet.html
> > >
> > > Respectfully,
> > > Nathan
> >
> > Yea...kinda figured but thought I'd chuck it out there :)  Thanks
> > Nathan.
> >
> > James


Good deal...thanks Joel.  Additionally, threats that usually come in 
via email (latest one I saw was the whole eFax thing) I've been taking 
and adding to monitor port 25 since that's the initial point of entry.  
It's dicey due to the probability of FP's (I've had only a couple) but 
is extremely nice to pinpoint the the root cause.  Just a couple pennies 
:)

James




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!