Spam: SMTP & Proxy Communications in Email Body

calendar Dec 2, 2025  ยท
Share on: linkedin copy

An email containing SMTP and Proxy (socks5) command and control information within the body of the message.

Sublime rule (View on GitHub)

 1name: "Spam: SMTP & Proxy Communications in Email Body"
 2description: |
 3    An email containing SMTP and Proxy (socks5) command and control information within the body of the message.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  and 1 < length(body.links) < 5
10  and regex.icontains(body.current_thread.text,
11                      '(?:\:socks5:|::127.0.0.1:1080|:0:127.0.0.1:1080)'
12  )  
13attack_types:
14  - "Spam"
15tactics_and_techniques:
16  - "Free email provider"
17detection_methods:
18  - "Content analysis"
19id: "2bdc6a3b-1239-5644-b4bc-d31666ded22e"
to-top