# JOE JOB PATTERNS # # Current patterns. # # Updated and verified 2/19/06 # # 1/20/06 # # A series of joe jobs against Steve Linford at SpamHaus, # appears perennial. # # http://www.spamhaus.org/ # :0 * ! --.*forwarded message -- * ! ^forwarded message: * -1000^0 * -200^1 ^[:;#>] * B ?? 500^0 ^[^0-9a-z]*From the Desk of Steve Linford$[^0-9a-z]*Spamhaus.org$ * B ?? 500^0 ^Tele +44 \(0\)20 7667 5100$ { LT3=yes SBLOG="C3R-${TESTNAME} (Steve Linford/SpamHaus)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 10/16/05 # # 10/16/05: # Joe-job against Kavkaz Center. # # 10/21/05: # Morphed slightly, but same idiots. # # 10/21/05: # Morphed again, using chains of Google redirectors and obfuscation to # redirect to Kavkaz Center web site instead of a direct URL. # # 10/25/05: # Morphed again. Pushy scumballs, whoever they are. # LT4=no :0 * ^From:.*[^0-9a-z](Kavkaz( )*Center|\ kavkaz[-_0-9a-z]*@|\ [0-9a-z][-_0-9a-z]*@kavkaz[-_0-9a-z.]*)([^0-9a-z]|$) * ! ^From:.*[^0-9a-z](kavkaz\.tv|\ kavkaz\.uk\.com|\ kavkaz\.org\.uk|\ kavkazcenter\.com|\ kavkazcenter\.net|\ kavkazcenter\.info)([^0-9a-z.]|$) { LT4=yes } :0 * LT4 ?? no * ^From:.*[^0-9a-z](kavkaz\.tv|\ kavkaz\.uk\.com|\ kavkaz\.org\.uk|\ kavkazcenter\.com|\ kavkazcenter\.net|\ kavkazcenter\.info)([^0-9a-z.]|$) * ! FIRSTEXIP ?? ^(194\.145\.249\.17[2-3])$ { LT4=yes } :0 * LT4 ?? no * ! --.*forwarded message -- * ! ^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 600^0 ^From: Kavkaz Center <[0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z]+>$ * H ?? 600^0 ^Subject: Kavkaz Center([^0-9a-z]|$) * B ?? 600^0 (^|[^0-9a-z])http://([0-9a-z][-_0-9a-z]+\.)+\ (kavkaz\.tv|\ kavkaz\.uk\.com|\ kavkaz\.org\.uk|\ kavkazcenter\.com|\ kavkazcenter\.net|\ kavkazcenter\.info)([^0-9a-z.]|$) * B ?? 600^0 (^|[^0-9a-z])http://([0-9a-z][-_0-9a-z](ÿ|\.|[=%]2E))*google(ÿ|\.|[=%]2E)[a-z]+/\ url\?q=http://([0-9a-z][-_0-9a-z](ÿ|\.|[=%]2E))*google(ÿ|\.|[=%]2E)[a-z]+/\ url\?q=http://([0-9a-z][-_0-9a-z](ÿ|\.|[=%]2E))*google(ÿ|\.|[=%]2E)[a-z]+/\ url\?q= * B ?? 600^0 ^We unsubscribe each email adress manually\.$ * B ?? 600^0 ^Please, be patient, it can takes 3-5 days\.$ * B ?? 300^0 ^ATTENTION! Administration of Kavkaz-Center informs $ * B ?? 300^0 ^that russian special services in an effort to carry out $ * B ?? 300^0 ^a provocation are sending out unsolicited emails \(SPAM\) $ * B ?? 300^0 ^!!!Kavkaz-Center notifies that it has no relation to this!!!$ * B ?? 300^0 ^and press \"Unsubscribe\" button\. Don\'t complain, please!$ * B ?? 300^0 ^We will never unsubscribe complainers!$ * B ?? 300^0 ^Visit us to read hot news:$ * B ?? 600^0 ^If you want to change your life,$\ If you want to live in freedom,$\ If you want to take off money from rich guys$\ And give it out to poor people,$\ It's time to big war!$\ Join to us!$ { LT4=yes } :0 * LT4 ?? yes { LT3=yes SBLOG="C3R-${TESTNAME} (Kavkaz Center)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 9/15/05 # # More "carder" joe job cr*p. I thought these guys had been # shut down. # :0 * ! --.*forwarded message -- * ! ^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 600^0 ^From:.*[^0-9a-z]root@cardingworld\.net([^0-9a-z]|$) * B ?? 500^0 (^|[^0-9a-z])forum(ÿ|\.|[=%]2E)cardingworld(ÿ|\.|[=%]2E)net([^0-9a-z]|$) * B ?? 500^0 (^|[^0-9a-z])www(ÿ|\.|[=%]2E)plastic-card(ÿ|\.|[=%]2E)org([^0-9a-z]|$) { LT3=yes SBLOG="C3R-${TESTNAME} (CardingWorld.net)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 9/12/05 # # Joe-job against FusionPHP. # # 9/22/05 -- still spewing. :/ # 9/24/05 -- and still. # :0 BH * ! --.*forwarded message -- * ! ^forwarded message: * -1000^0 * -200^1 ^[:;#>] * 600^0 ^From: NOT SPAM $ * 500^0 ^Subject: Check out FUSIONPHP\.NET today!!!$ * 600^0 ^Hey man/woman,$ * 500^0 ^NOTE: THIS MESSAGE IS NOT SPAM and your \ email was obtained from legal sources\.$ { LT3=yes SBLOG="C3R-${TESTNAME} (FusionPHP.net)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 8/19/05 # # Joe job against nitwit abusive "anti-spam" site # bluesecurity.com. But joe-jobbing is not okay, # even against sites that are themselves abusive. # # http://www.bluesecurity.com/ # :0 * ! --.*forwarded message -- * ! ^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 500^0 ^Subject:.*[^0-9a-z][0-9a-z][-_0-9a-z.]+, anti-spam system, Join now([^a-z0-9.]|$) * B ?? 500^0 ^http://bluesecurity\.com $ * B ?? 500^0 (^|[^-_0-9a-z])anti-spam system, Join now!!([^a-z0-9.]|\. |\.$|$) * B ?? 500^0 ^Prevent spam, by participying is a DDOS attacks against spam sites!!$ * B ?? 500^0 ^Automaticly send 1000s of complaints for each spam you recieve!!$ * B ?? 500^0 ^be 100% saved from spam!! as well as helping us ddos there sites!$ { LT3=yes SBLOG="C3R-${TESTNAME} (bluesecurity.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 7/30/05 # # Joe job against anti-phishing site millersmiles.co.uk. # # http://www.millersmiles.co.uk/ # :0 * ! --.*forwarded message -- * ! ^forwarded message: * ! FIRSTEXIP ?? ^67\.15\.49\.[0-9][0-9]?[0-9]?$ * -1000^0 * -200^1 ^[:;#>] * H ?? 500^0 ^Subject:.*[^0-9a-z](Bank of the West|Verify your information)([^a-z0-9.]|$) * B ?? 500^0 (^|[^-_0-9a-z])www(ÿ|\.|[=%]2E)millersmiles(ÿ|\.|[=%]2E)co(ÿ|\.|[=%]2E)uk([^a-z0-9.]|\. |\.$|$) * B ?? 500^0 (^|[^-_0-9a-z])toolbar(ÿ|\.|[=%]2E)netcraft(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 500^0 (^|[^-_0-9a-z])YOU are on a list.*$?.*emai.*$?.*target.*$?.*(phishing|fraud)([^a-z0-9.]|\. |\.$|$) { LT3=yes SBLOG="C3R-${TESTNAME} (millersmiles.co.uk)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 6/05/05 # # Joe job against porn site abbywinters.com. # # http://www.abbywinters.com/joejobbed.php # :0 * ! --.*forwarded message -- * ! ^forwarded message: * ! ^Received:.*(66\.240\.19[2-9]\.[0-9][0-9]?[0-9]?|\ 66\.240\.2[0-4][0-9]\.[0-9][0-9]?[0-9]?|\ 66\.240\.25[0-5]\.[0-9][0-9]?[0-9]?)([^a-z0-9.]|$) * -1000^0 * -200^1 ^[:;#>] * H ?? 500^0 ^Subject: Australian natural teenagers$ * B ?? 800^0 (^|[^-_0-9a-z])abbywinters(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 500^0 (^|[^-_0-9a-z])dirtiest site.*on the web([^a-z0-9.]|\. |\.$|$) * B ?? 500^0 (^|[^-_0-9a-z])14-17.*australian girls([^a-z0-9.]|\. |\.$|$) * B ?? 500^0 (^|[^-_0-9a-z])NATURAL PRETEEN GIRLS([^a-z0-9.]|\. |\.$|$) { LT3=yes SBLOG="C3R-${TESTNAME} (abbywinters.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 5/15/05 # # It looks like the Sober virus criminals are at it again. # A second round of "Nazi spammer" spam appeared in inboxes # over the weekend. I'm treating it as a Joe Job mostly because # the URIs in the message bodies are mostly or all innocent # bystanders, and the spam run will probably die off in a week # or two. Meanwhile, the IPs that sent this spam are getting # listed here and everywhere as spam sources/trojaned Windows # boxes. # :0 * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 500^0 ^Subject:.*[^0-9a-z](4,8 Mill\. Osteuropaeer|\ 60 Jahre Befreiung|\ Anordnung|\ Arbeitnehmer|\ Armenian Genocide|\ Auf Streife|\ augen auf|\ Auslaender|\ Auslaenderpolitik|\ auslaendische|\ ausspioniert|\ beim Arzt abgezockt|\ Berliner Wedding|\ bevorzugt|\ Blutige Selbstjustiz|\ bundesdeutsche|\ Deutsche Buerger|\ deutschen Frau|\ Deutschenmoerder|\ Dresden 1945|\ Dresden bombing|\ Fischer-Volmer|\ Gegen das Vergessen|\ Graeberschaendung|\ Massenhafter|\ Multi-(Kriminell|Kulturell)|\ Schily|\ Sklaven gemacht|\ S\.O\.S\. Kiez|\ Stellenabbau|\ Steuerbetrug|\ Transparenz|\ Tuerkei|\ Turkish Tabloid|\ Verbrechen|\ Vorbildliche|\ whore.*[^0-9a-z]German|\ zum zahlen gebraucht)([^a-z0-9.]|$) * B ?? 800^1 (^|[^-_0-9a-z])(globalfire\.tv|\ npd\.de|\ unserforum\.com)([^a-z0-9.]|$) * B ?? 800^0 ^Deutsche Krankenversicherungen muessen fuer Harems-Frauen zahlen:$ * B ?? 800^0 ^EU-Abgeordnete goennen sich luxurioese Vollversorgung:$ * B ?? 800^0 ^Full Article:$ * B ?? 800^0 ^GEWALTEXZESS:$ * B ?? 800^0 ^Immer mehr Frauen prostituieren sich:$ * B ?? 800^0 ^Kassenfunktionaere vervierfachten Gehalt:$ * B ?? 800^0 ^Lese selbst:$ * B ?? 800^0 ^Parallelgesellschaften - Feind hoerte mit:$ * B ?? 800^0 ^Politiker zerreißt Menschenrechtsbericht:$ * B ?? 800^0 ^Polizeiexperten warnen:( ) * B ?? 800^0 ^Schily = Hitler$ * B ?? 800^0 ^Schily wehrt sich gegen Hitler-Vergleiche:$ * B ?? 800^0 ^Sie hat ja wie eine Deutsche gelebt:$ * B ?? 800^0 ^Sie war unerlaubt spazieren:$ * B ?? 800^0 ^STAATSPROPAGANDA:$ * B ?? 800^0 ^Tiere an Autobahn geschlachtet:$ * B ?? 800^0 ^und weisst es nicht einmal:$ * B ?? 800^0 ^Weiter auf:$ * B ?? 300^0 (^|[^-_0-9a-z])http://brandenburg\.rz\.fhtw-berlin\.de.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://bz\.berlin1\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://forum\.gofeminin\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://hortnews\.stern\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.aktivefrauenfraktion\.tk([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.auslaendergewalt\.ch([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.bewaeltigen\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.buergerbewegungen\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.das-gibts-doch-nicht\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.deutschlandchronik\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.die-kommenden\.net([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.g-d-f\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.geocities\.com/scorpios2602([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.heise\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.jn-bw\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.jungefreiheit\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.kommunisten-online\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.kopfmord\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.leverkusener-aufbruch\.com([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.libasoli\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.mjoelnirsseite\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.my-rocknord\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.pro-koeln-online\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.radio-freiheit\.com([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.rocknord\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.rp-online\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://(service|www)\.spiegel\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.taz\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.un-nachrichten\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.wk-institut\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.zdf\.de([^a-z0-9.]|$) * B ?? 300^0 (^|[^-_0-9a-z])http://www\.zukunft-europa\.info([^a-z0-9.]|$) * B ?? 500^1 (^|[^-_0-9a-z])Elbmetropole([^a-z0-9.]|$) * B ?? 500^1 (^|[^-_0-9a-z])Lazarettstadt Dresden([^a-z0-9.]|$) * B ?? 500^1 (^|[^-_0-9a-z])ohne (Bewaffnung|militaerischen Nutzen)([^a-z0-9.]|$) { LT3=yes SBLOG="C3R-${TESTNAME} (German Nationalist)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 2/22/05 # # Someone got mad at the owner/operator of fusionphp.net, and # filled the rest of our mailboxes with cr*p to get back at him. :/ # :0 BH * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 500^0 ^From:.*[^0-9a-z]fusionphp\.net([^a-z0-9.]|$) * H ?? 500^0 ^Subject:.*[^0-9a-z]FusionPHP\.net([^a-z0-9.]|$) * B ?? 300^0 ^Visit (fusionphp\.net|us) today, fullfilling your PHP needs!!!$ * B ?? 300^0 (^|[^-_0-9a-z])Forward this email to 250 people([^a-z0-9.]|\. |\.$|$) * B ?? 300^0 (^|[^-_0-9a-z])we'll pay you $5.00 US dollars via paypal\.([^a-z0-9.]|\. |\.$|$) * B ?? 300^0 (^|[^-_0-9a-z])Patatten Boerken([^a-z0-9.]|\. |\.$|$) { LT3=yes SBLOG="C3R-${TESTNAME} (FusionPHP Revenge)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 1/23/05 # # Someone got really mad at the owner/operator of NarutoFan.com, and # filled the rest of our mailboxes with cr*p to get back at him. :/ # :0 BH * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 500^0 ^From:.*[^0-9a-z]kevin\.shiel@gmail\.com([^a-z0-9.]|$) * H ?? 500^0 ^Subject: WDonate to NarutoFan\.com for Child Porn$ * B ?? 300^0 ^My name is Kevin Shiel and I am the webmaster from narutofan\.com$ * B ?? 300^0 (^|[^-_0-9a-z])LARGE AMOUNTS OF KIDDIE PORN([^a-z0-9.]|\. |\.$|$) * B ?? 300^0 (^|[^-_0-9a-z])access to our whole kiddie porn([^a-z0-9.]|\. |\.$|$) * B ?? 300^0 (^|[^-_0-9a-z])200 gigs of videos of girls 13 and under([^a-z0-9.]|\. |\.$|$) { LT3=yes SBLOG="C3R-${TESTNAME} (NarutoFan Revenge)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # 1/11/05 # # What appears to be an amusing attempt by one set of spyware purveyors/ # zombie runners to discredit and bring the wrath of various system # administrators down on their opponents, much like the "Carder" wars # of the last few months. :/ While the URLs in this message may well # deserve to be listed on their own, the email I got absolutely *stinks* # of joe job. Since I've never seen these URLs in any other email, they're # listed here. # :0 BH * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 1100^0 ^Subject:.*[^0-9a-z]distribute spyware.*spam([^a-z0-9.]|$) * B ?? 600^0 (^|[^-_0-9a-z])ads234(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])midaddle(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])overpro(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])statblaster(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])WILD MEDIA LLC([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])(advertis(ing|ment)|professionals).*$?.*spam[^0-9a-z]*$?[^0-9a-z]*and[^0-9a-z]*$?[^0-9a-z]*spyware(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])spam[^0-9a-z]*$?[^0-9a-z]*and[^0-9a-z]*$?[^0-9a-z]*spyware.*$?.*(advertis(ing|ment)|professionals)([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])make[^0-9a-z]*$?[^0-9a-z]*money[^0-9a-z]*$?[^0-9a-z]*infecting[^0-9a-z]*$?[^0-9a-z]*users([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])users[^0-9a-z]*$?[^0-9a-z]*are[^0-9a-z]*$?[^0-9a-z]*helpless[^0-9a-z]*$?[^0-9a-z]*against.*$?.*trojan([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])every[^0-9a-z]*$?[^0-9a-z]*hole.*$?.*in[^0-9a-z]*$?[^0-9a-z]*microsoft([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])Andrew Greenberg([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])Michael Katz([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])abuse.*$?.*bulletproof[^0-9a-z]*$?[^0-9a-z]*servers([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])we[^0-9a-z]*$?[^0-9a-z]*are.*$?.*untouchable([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])We.*$?.*don.t[^0-9a-z]*$?[^0-9a-z]*care.*$?.*spyware[^0-9a-z]*$?[^0-9a-z]*laws([^a-z0-9.]|\. |\.$|$) * B ?? 600^0 (^|[^-_0-9a-z])immediately[^0-9a-z]*$?[^0-9a-z]*d.?dosed([^a-z0-9.]|\. |\.$|$) { LT3=yes SBLOG="C3R-${TESTNAME} (Spyware vs. Spyware?)" INCLUDERC=${SBDIR}/functions/loglevel.rc }