SecureWorks (and everyone else) is reporting the Gozi Trojan is propagating using spam-delivered PDF exploits, based on GNUCitizen's PDF vulnerability. Here's a quickie measure to drop into your SpamAssassin rules files to block the current round of horribleness: Just look for the string

bWFpbHRvOiUvLi4vLi4vLi4vLi4vLi4vLi4v

and score it appropriately high as likely spam (depending on your antispam's signature interface, you may have to account for randomly-inserted CRLFs for the normal line breaks MTA's insert).

It's pretty straightforward, really. There's surprisingly low entropy in the actual exploits circulating widely, so this will work like a champ to detect the malicious PDFs. Why this works: The above is the Base64 encoding of the maliciously formed mailto: handler. (If you don't believe me, go to OpinionatedGeek's handy Javascript-based Base64 decoder here.

This string, by itself, won't catch any meaningful variations (so keep your AV signatures and IPS filters up to date), nor is it tied up strongly with the PDF file format itself, but it should be good stopgap measure for antispam administrators for the next few days.

Note to TippingPoint users: This string is pretty good for a CSW against dport smtp, too. Again, be sure to include optional CRLF's.

Note to security researchers: If you haven't snagged it yet, one of the original versions of the attack was posted to Full-Disclosure a couple days ago.