antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to AdamD
Re: largest "spam blasts" in the past twelve months
said by AdamD  :We don't have a spam problem. We have a stupidity problem. Actually, stupidity epidemic... A dog or cat can be taught not to do something, yet there are people stupid enough to open those attachments. A. I couldn't say it any better. 
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
AdamD
join:2002-01-09
Maspeth, NY | reply to antiphishing
We don't have a spam problem. We have a stupidity problem. Actually, stupidity epidemic... A dog or cat can be taught not to do something, yet there are people stupid enough to open those attachments.
A. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | reply to kpatz
said by kpatz :Some other things I've noticed: every one has two Received: headers. This makes it look like each email is being relayed through another SMTP server, but in my limited testing, the IP address that sent the spam didn't respond on port 25, so the second Received: is likely spoofed with a random IP. I am starting to notice that the IP number in the "X-Originating-IP" line doesn't respond to port 25, 137,139 or 443.
I am thinking the Trojan infected machine (66.8.213.116) is being used to send the junk email at a much higher port number.
canonical name cpe-66-8-213-116.hawaii.res.rr.com.
aliases
addresses 66.8.213.116
----------
X-Apparently-To: sgtpepper_1967@yahoo.com via 216.252.121.75; Fri, 13 Apr 2007 00:48:54 -0700
X-YahooFilteredBulk: 66.8.213.116
X-Originating-IP: [66.8.213.116]
Return-Path:
Authentication-Results: mta257.mail.re4.yahoo.com from=wsc.edu; domainkeys=neutral (no sig)
Received: from 66.8.213.116 (HELO cpe-66-8-213-116.hawaii.res.rr.com) (66.8.213.116) by mta257.mail.re4.yahoo.com with SMTP; Fri, 13 Apr 2007 00:48:52 -0700
Received: from ijg ([149.104.110.89]) by cpe-66-8-213-116.hawaii.res.rr.com with Microsoft SMTPSVC(6.0.3790.0); Thu, 12 Apr 2007 21:48:18 -1000
Message-ID:
Date: Thu, 12 Apr 2007 21:48:18 -1000
From: "Postmaster"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: Virus Detected!
----------
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to antiphishing
They're using a botnet to distribute these, so chances are every copy you see will come from a different IP.
The Thunderbird header is likely hard-coded in the template used to construct the emails.
Some other things I've noticed: every one has two Received: headers. This makes it look like each email is being relayed through another SMTP server, but in my limited testing, the IP address that sent the spam didn't respond on port 25, so the second Received: is likely spoofed with a random IP.
The GIF files containing the message are formatted uniquely. The name of the GIF varies, as well. The width varies from one to next, causing the text to wrap/format differently across different samples. Of course, the attachment name and password are always different, too. The passwords seem to always be three letters, two numbers, so this is probably a fixed random password generator algorithm.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to kpatz
said by kpatz :Most recent one I got is: Seems like the headers are consistent, particularly the User-Agent header. It's always that particular build of Thunderbird.  I noticed that particular point also regarding the Thunderbird build number.
I thought the junk email along with the Trojans where coming from a single zombie machine with the Thunderbird email software installed.
After looking at all the emails again, at three of the spams infected with the malware had different IP numbers associated with them, which leads me to believe that the information is forged.
X-Originating-IP: [189.169.127.165]
X-Originating-IP: [201.79.68.55]
X-Originating-IP: [162.39.116.180]
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
d0nni3q
join:2006-11-05
Meadville, PA | reply to kpatz
It's as simple as denying *.zip files for me. :-D |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | reply to antiphishing
Most recent one I got is:
quote:
From: "Support Team" <***@cfl.rr.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: (my wifey's address)
Subject: Virus Detected! ***VIRUS DETECTED: (encrypted)***
X-Orig-Subject:Virus Detected!
Attachment: removal-66943.zip
My Linux firewall/email server box adds the ***VIRUS DETECTED*** message to the subj. line when it detects nasties.
Seems like the headers are consistent, particularly the User-Agent header. It's always that particular build of Thunderbird.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
