Spam: SMTP & Proxy Communications in Email Body

calendar Oct 29, 2025  ยท
Share on: linkedin copy

An email containing SMTP and Proxy (socks5) command and control information within the body of the message.

Sublime rule (View on GitHub)

 1name: "Spam: SMTP & Proxy Communications in Email Body"
 2description: |
 3    An email containing SMTP and Proxy (socks5) command and control information within the body of the message.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  and 1 < length(body.links) < 5
10  and regex.icontains(body.current_thread.text,
11                      ":socks5:|::127.0.0.1:1080|:0:127.0.0.1:1080"
12  )  
13
14attack_types:
15  - "Spam"
16tactics_and_techniques:
17  - "Free email provider"
18detection_methods:
19  - "Content analysis"
20id: "2bdc6a3b-1239-5644-b4bc-d31666ded22e"
to-top