Interesting reading - http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

I used to have some pretty coarse geographic rules on my IPTables ruleset that helped.

Basically every time I spotted a lot of spam coming in, I would check to see if the IP was from China, Taiwan, Russia etc, if it was, I just blackholed the entire class A network :)

Worth considering..... You can download list of geopgraphic IP space from various sources as well


Stuart


On 20 February 2013 16:06, Max B <txtmax@yahoo.ca> wrote:


Hi All,

recently I've been receiving some spam which is designed to target the intelligence of a 10-year old (as compared with the 'Nigerian' spammers-of-yore approach to a pre-schooler level).

The spam looks to have been proofed by a GSCE-level reader.

This fraudulent forgery concerns me.
 
The trojan horse payload (not attached) is invariably wrapped up in a zip archive.  I've archived recent trojan payloads in case anyone is interested.

Domain hinet.net points to a Chinese host.  Domains also included in the route are presumably Russian.

Does anyone have a means to hinder or otherwise block this spam with a procmail script?  Something like a geographic filter for any email associated with China?  I don't deal with China.  Why would I wish to receive email that originates in China?  So I favour, at first glance, penning the Chinese behind a bespoke Great Wall.

I'm beyond fed up with these turds.

http://www.nytimes.com/2013/02/21/business/global/china-says-army-not-behind-attacks-in-report.html?_r=0

http://www.fastcompany.com/3006018/fast-feed/china-dismisses-new-york-times-allegations-army-backed-hacking-attempts-groundless

Does HMG collect spam in order to address this sort of denial at a diplomatic level?

The plausible deniability afforded the Chinese by this type of dynamic-ip attack is simply unacceptable.










---------- Forwarded message ----------
Return-Path: <horsy7@regallager.com>
Received: from 114-41-160-224.dynamic.hinet.net
    (114-41-160-224.dynamic.hinet.net [114.41.160.224])
Received: from [149.116.61.55] (helo=zrnrzypdry.kqfrfyskubrj.ua)
    by 114-41-160-224.dynamic.hinet.net with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MMNDI-3322kk-MJ
From: "SendSecure Support" <SendSecure.Support@bankofamerica.com>
Subject: You have received a secure message from Bank Of America
Date: Wed, 20 Feb 2013 23:10:06 +0800
MIME-Version: 1.0
X-Priority: 3
X-Mailer: dwaitmwd.17
Message-ID: <3505121578.7AYSQSSK276767@rmoombwfwfc.ngayzodde.ru>
Content-Type: multipart/mixed;
  boundary="----=a__fcrap_85_52_22"


 
You have received a secure message.

Read your secure message by opening the attachment. You will be prompted
to open (view) the file or save (download) it to your computer. For best
results, save the file first, then open it.

If you have concerns about the validity of this message, please contact
the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.bankofamerica.com/websafe/help?topic=Envelope


_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users