Interesting reading -
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
I used to have some pretty coarse geographic rules on my IPTables ruleset
that helped.
Basically every time I spotted a lot of spam coming in, I would check to
see if the IP was from China, Taiwan, Russia etc, if it was, I just
blackholed the entire class A network :)
Worth considering..... You can download list of geopgraphic IP space from
various sources as well
Stuart
On 20 February 2013 16:06, Max B <txtmax@???> wrote:
>
>
> Hi All,
>
> recently I've been receiving some spam which is designed to target the
> intelligence of a 10-year old (as compared with the 'Nigerian'
> spammers-of-yore approach to a pre-schooler level).
>
> The spam looks to have been proofed by a GSCE-level reader.
>
> This fraudulent forgery concerns me.
>
> The trojan horse payload (not attached) is invariably wrapped up in a zip
> archive. I've archived recent trojan payloads in case anyone is interested.
>
> Domain hinet.net points to a Chinese host. Domains also included in the
> route are presumably Russian.
>
> Does anyone have a means to hinder or otherwise block this spam with a
> procmail script? Something like a geographic filter for any email
> associated with China? I don't deal with China. Why would I wish to
> receive email that originates in China? So I favour, at first glance,
> penning the Chinese behind a bespoke Great Wall.
>
> I'm beyond fed up with these turds.
>
>
> http://www.nytimes.com/2013/02/21/business/global/china-says-army-not-behind-attacks-in-report.html?_r=0
>
>
> http://www.fastcompany.com/3006018/fast-feed/china-dismisses-new-york-times-allegations-army-backed-hacking-attempts-groundless
>
> Does HMG collect spam in order to address this sort of denial at a
> diplomatic level?
>
> The plausible deniability afforded the Chinese by this type of dynamic-ip
> attack is simply unacceptable.
>
>
>
>
>
>
>
>
>
>
> ---------- Forwarded message ----------
> Return-Path: <horsy7@???>
> Received: from 114-41-160-224.dynamic.hinet.net
> (114-41-160-224.dynamic.hinet.net [114.41.160.224])
> Received: from [149.116.61.55] (helo=zrnrzypdry.kqfrfyskubrj.ua)
> by 114-41-160-224.dynamic.hinet.net with esmtpa (Exim 4.69)
> (envelope-from )
> id 1MMNDI-3322kk-MJ
> From: "SendSecure Support" <SendSecure.Support@???>
> Subject: You have received a secure message from Bank Of America
> Date: Wed, 20 Feb 2013 23:10:06 +0800
> MIME-Version: 1.0
> X-Priority: 3
> X-Mailer: dwaitmwd.17
> Message-ID: <3505121578.7AYSQSSK276767@???>
> Content-Type: multipart/mixed;
> boundary="----=a__fcrap_85_52_22"
>
>
>
> You have received a secure message.
>
> Read your secure message by opening the attachment. You will be prompted
> to open (view) the file or save (download) it to your computer. For best
> results, save the file first, then open it.
>
> If you have concerns about the validity of this message, please contact
> the sender directly.
>
> First time users - will need to register after opening the attachment.
> Help - https://securemail.bankofamerica.com/websafe/help?topic=Envelope
>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
