cableties
Premium
join:2005-01-27
 ·Verizon FIOS
| Useless Legislators
Spammers= 10(nth power)
CanSpam Act= 0
And our ISPs are so helpful and preventative. 
(I must say, kudos to the BBR security forums for their Faq and helpful supporters...Like CJ, etc...)  |
|
firewire9999
join:2004-07-11
Livonia, MI | How are ISP suppose to responible for this?
More like dumb people whom open these attachments no matter how many times they have been told about it. |
|
InGreenwood
@rr.com | reply to cableties
My ISP, CableOne, is blocking these emails if you have their myspam setting on. (It is on by default, you would have to turn it off yourself) |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
1 edit | My several Comcast accounts emails 1st go thru the Comcast filters and then automatically forward to Gmail for consolidation and offsite archiving. And Gmail spam filters usually catch 99.9% of what is left. So, maybe 1 a week makes it thru all the filters. So this flood doesn't overly concern me.
P.S. I have seen none of the messages mentioned in this new item.
--
--
My BLOG
My Web Page |
|
W8ASA
Tieng gi vay?
join:2000-07-31
Dayton, OH
clubs:  | I have received several....
of these. All but one got past ATT/Yahoo and McAfee e-mail scans/filters. If only there were a way to "nuke" those farthing bastidges who sent them.
--
Microwave and RF Components at www.ohiomicrowave.com |
|
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs:
 ·AT&T Southeast
|  I received one this morning
I received one in my (large corporate) office email, this morning. I briefly considered forwarding it to our spam address, but I figured they might get on my case about sending malware, so I just deleted it and went on my way.
Tim
--
The shortest sentence is, "I am". The longest is, "I do".
~ Project Hope ~ |
|
jstep73
join:2004-02-28
Rock Island, IL | I got one yesterday morning. I really like how the messages are always so cryptic and use very poor english.
It surprises me that people still open these attachments. |
|
LordFlux
join:2005-04-20
Warner Robins, GA
·Cox HSI
·Alltel Axess
| I don't understand...
I don't understand how anyone with a shred of common sense can open this e-mail. It's a very simple formula... if you don't know the person = delete the e-mail.
As for the particular spam e-mail at hand... I got one yesterday. My ISP used to have a decent SpamFilter in place. They upgraded their mail server software and the filter broke and no one has bothered to fix it. I love getting 400 e-mails a day from Ñ.Ñ. Ãîðøåíèí and Ô.Ô. Áóéëîâ... it makes me feel so special. |
|
supergirl
join:2007-03-20
Pensacola, FL
 ·Cox VOIP
·Skype
·Cox HSI
·AT&T Southeast
·magicjack.com
| One is Coming from Network Solutions
Network Solutions NEVER sends emails to "update" your domain. Gmail justs deletes the messages and I never see them. Outlook, Norton really, deletes the attachment.
I am still wondering why someone called Batman constantly emails me at Supergirl3000@gmail.com though.  |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| largest "spam blasts" in the past twelve months
From: "Postmaster"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: Virus Detected!
File name: patch_92657.zip
File size: 38kb
From: "Support Team Robot"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Alert!
File name: bugfix_16471.zip
File size: 38kb
From: "Support Team"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Activity Detected!
File name: hotfix_25203.zip
File size: 38kb
From: "Customer Support Center"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Detected!
File name: patch_1482.zip
File size: 38kb
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | Most recent one I got is:
quote:
From: "Support Team" <***@cfl.rr.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: (my wifey's address)
Subject: Virus Detected! ***VIRUS DETECTED: (encrypted)***
X-Orig-Subject:Virus Detected!
Attachment: removal-66943.zip
My Linux firewall/email server box adds the ***VIRUS DETECTED*** message to the subj. line when it detects nasties.
Seems like the headers are consistent, particularly the User-Agent header. It's always that particular build of Thunderbird.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
d0nni3q
join:2006-11-05
Meadville, PA | It's as simple as denying *.zip files for me. :-D |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to kpatz
said by kpatz  :Most recent one I got is: Seems like the headers are consistent, particularly the User-Agent header. It's always that particular build of Thunderbird. I noticed that particular point also regarding the Thunderbird build number.
I thought the junk email along with the Trojans where coming from a single zombie machine with the Thunderbird email software installed.
After looking at all the emails again, at three of the spams infected with the malware had different IP numbers associated with them, which leads me to believe that the information is forged.
X-Originating-IP: [189.169.127.165]
X-Originating-IP: [201.79.68.55]
X-Originating-IP: [162.39.116.180]
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| They're using a botnet to distribute these, so chances are every copy you see will come from a different IP.
The Thunderbird header is likely hard-coded in the template used to construct the emails.
Some other things I've noticed: every one has two Received: headers. This makes it look like each email is being relayed through another SMTP server, but in my limited testing, the IP address that sent the spam didn't respond on port 25, so the second Received: is likely spoofed with a random IP.
The GIF files containing the message are formatted uniquely. The name of the GIF varies, as well. The width varies from one to next, causing the text to wrap/format differently across different samples. Of course, the attachment name and password are always different, too. The passwords seem to always be three letters, two numbers, so this is probably a fixed random password generator algorithm.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | said by kpatz :Some other things I've noticed: every one has two Received: headers. This makes it look like each email is being relayed through another SMTP server, but in my limited testing, the IP address that sent the spam didn't respond on port 25, so the second Received: is likely spoofed with a random IP. I am starting to notice that the IP number in the "X-Originating-IP" line doesn't respond to port 25, 137,139 or 443.
I am thinking the Trojan infected machine (66.8.213.116) is being used to send the junk email at a much higher port number.
canonical name cpe-66-8-213-116.hawaii.res.rr.com.
aliases
addresses 66.8.213.116
----------
X-Apparently-To: sgtpepper_1967@yahoo.com via 216.252.121.75; Fri, 13 Apr 2007 00:48:54 -0700
X-YahooFilteredBulk: 66.8.213.116
X-Originating-IP: [66.8.213.116]
Return-Path:
Authentication-Results: mta257.mail.re4.yahoo.com from=wsc.edu; domainkeys=neutral (no sig)
Received: from 66.8.213.116 (HELO cpe-66-8-213-116.hawaii.res.rr.com) (66.8.213.116) by mta257.mail.re4.yahoo.com with SMTP; Fri, 13 Apr 2007 00:48:52 -0700
Received: from ijg ([149.104.110.89]) by cpe-66-8-213-116.hawaii.res.rr.com with Microsoft SMTPSVC(6.0.3790.0); Thu, 12 Apr 2007 21:48:18 -1000
Message-ID:
Date: Thu, 12 Apr 2007 21:48:18 -1000
From: "Postmaster"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: Virus Detected!
----------
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
AdamD
join:2002-01-09
Maspeth, NY | We don't have a spam problem. We have a stupidity problem. Actually, stupidity epidemic... A dog or cat can be taught not to do something, yet there are people stupid enough to open those attachments.
A. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| said by AdamD :We don't have a spam problem. We have a stupidity problem. Actually, stupidity epidemic... A dog or cat can be taught not to do something, yet there are people stupid enough to open those attachments. A. I couldn't say it any better.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
Devanchya
Smile
Premium
join:2003-12-09
Ajax, ON
·Bell Sympatico
| Infected Gif?
Anyone know if the gif it's sending is Infected with the recent Image bug in Sun Microsystems Java.
Just nasty part of my brain thinking of a way to attack some Java based e-mail clients...
--
»www.codecipher.com - Marking the way to tomorrow's solutions |
|
GamerGeek
join:2003-07-26
Fortuna, CA
| reply to LordFlux
Re: I don't understand...
said by LordFlux :I don't understand how anyone with a shred of common sense can open this e-mail. It's a very simple formula... if you don't know the person = delete the e-mail. As for the particular spam e-mail at hand... I got one yesterday. My ISP used to have a decent SpamFilter in place. They upgraded their mail server software and the filter broke and no one has bothered to fix it. I love getting 400 e-mails a day from Ñ.Ñ. Ãîðøåíèí and Ô.Ô. Áóéëîâ... it makes me feel so special. I think one thing you folks don't understand is that there are new computer users every day. They've had their computer for a whole week and are just getting their first run of emails, so they're going to open them thinking, "Maybe this is important!" I see them all the time, and I do tell them that if it's not an expected email, just delete it, but that doesn't always work, you see. |
|
Britt
@covad.net
| Spam as Text
Well here's one.... I received not one... but two text messages on my cell phone last night (1 am... I was NOT happy)
Both were the text of this email and both came from spoofed domains.
Man I was annoyed... not only does if cost me to receive texts... but it also interrupted my beauty sleep :P
and Verizon told me "sorry, there's nothing we can do about that." grrrrrr |
|
