|
Email from myself?I just got a strange email - which supposedly came from my own address. The subject was a 3-digit number and a different 3-digit number was in the body. I use Thunderbird as my email client and when I viewed the source, the received from IP address was different than my actual IP (After this happened I sent an email to myself to compare the two source contents).
Just to be on the safe side, I logged into my ISP's web site and changed all my passwords. Any thoughts? |
|
|
Just a spammer testing addresses as part of his address harvesting scheme. |
|
kw0 Premium Member join:2004-06-12 New Albany, OH |
to pbagrat
|
|
madylarianThe curmudgeonly Premium Member join:2002-01-03 Parkville, MD |
to pbagrat
They're all over the place. Mine came from an ISP in Israel. I figured that someone was playing with the new bulk mail program they bought from a spam email.
mady |
|
|
to pbagrat
You mean like this one: Return-path: <mcneillb@shaw.ca> Received: from pd7mr2no.prod.shaw.ca (pd7mr2no-qfe3.prod.shaw.ca [10.0.144.129]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0J0F003K4B62XD@l-daemon> for mcneillb@shaw.ca; Mon, 05 Jun 2006 23:27:38 -0600 (MDT) Received: from pd7mi2no.prod.shaw.ca ([10.0.149.115]) by pd7mr2no.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J0F00BKAB61QPE0@pd7mr2no.prod.shaw.ca> for mcneillb@shaw.ca (ORCPT mcneillb@shaw.ca); Mon, 05 Jun 2006 23:27:38 -0600 (MDT) Received: from Lenny.com ([210.19.250.57]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J0F002I0B5XNTN0@l-daemon> for mcneillb@shaw.ca; Mon, 05 Jun 2006 23:27:37 -0600 (MDT) Date: Tue, 06 Jun 2006 13:30:47 +0800 From: Mcneillb <mcneillb@shaw.ca> Subject: 586876 To: Mcneillb <mcneillb@shaw.ca> Message-id: <qrswwxbkvwharqpccjp@shaw.ca> MIME-version: 1.0 Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7bit Original-recipient: rfc822;mcneillb@shaw.ca X-Spam-Flag: Yes X-Spam-Level: 5/5 Body of Message Now the fun part is where did they get these from as I don't generally use this email address in public, so it wasn't harvested from news groups for example. I wonder if someone got someone's site or email list? I'll check the Domain filters tonight and see if perhaps they are randomly generating the addresses. Blake |
|
kw0 Premium Member join:2004-06-12 New Albany, OH |
kw0
Premium Member
2006-Jun-6 10:40 am
They're probably just "brute forcing" sends. like a@shaw.ca, aa@shaw.ca, and so on. |
|
|
|
said by kw0:They're probably just "brute forcing" sends. like a@shaw.ca, aa@shaw.ca, and so on. I'll check the domain filters on a couple of different domains tonight and see if that is what they are doing. I'll also check a couple of other addresses and see if they got this 'test' as well, if not then I would suspect that something else is going on. Blake |
|
xmrocks Premium Member join:2003-09-23 Wherever |
to pbagrat
I got that today, too! Odd that this thread has a few people, myself included, that have had similar experiences today. Below are the headers with the originating IP address (not mine of course) of the sender in bold face. I'm pretty sure I didn't go to Russia overnight to e-mail myself ;) Return-Path: <xxx@udel.edu> Received: from md1.nss.udel.edu (md1.nss.udel.edu [128.175.1.11]) by ms3.nss.udel.edu (MOS 3.7.1-GA) with ESMTP id BCQ07098 (AUTH via LOGINBEFORESMTP); Tue, 6 Jun 2006 07:10:30 -0400 (EDT) Received: from K315-1.com (s2005.shpl.ru [62.117.99.169]) by md1.nss.udel.edu (MOS 3.7.1-GA) with SMTP id BPL29411; Tue, 6 Jun 2006 07:09:43 -0400 (EDT) Date: Tue, 06 Jun 2006 15:23:36 +0300 To: "xxx" <xxx@UDel.Edu> From: "xxx" <xxx@UDel.Edu> Subject: 57657 Message-ID: <ithgewdewnpabswvosu@udel.edu> MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Junkmail-Status: score=45/50, host=md1.nss.udel.edu X-Junkmail-SD-Raw: score=suspect(10), refid=str=0001.0A090209.44856167.0030,ss=2,fgs=0, ip=62.117.99.169, so=2005-09-30 22:39:37, dmn=5.2.4/2006-05-04 X-Junkmail-Whitelist: YES (by xxx at ms3.nss.udel.edu)
<html><body> 969
<br> </body></html> s2005.shpl.ru [62.117.99.169] |
|
2 recommendations |
to pbagrat
Just in from SANS: Published: 2006-06-06, Last Updated: 2006-06-06 12:31:16 UTC by Swa Frantzen (Version: 1) A new twist in spammer tactics is being reported, although we're not sure what their goal is at the moment.
Users report receiving messages apearing to originate from themselves, with only numbers as subject and body.
The body does apears to be HTML encoded, but it's so basic as to not pose a threat so far.
It would be a good idea to investigate if you can drop email that apears to be from your own organization while originating outside of it. If your users do not send such email (e.g. because they use a VPN to connect back to the inside while on the road), dropping that email might cut down on a few spams.
Some fun while on this subject - it's a Tuesday after a 3 day weekend in some countries - : All relations to the SPAM luncheon meat product are purely accidental, even if it was inspired on a 1975 sketch from Monty Python. Most of us think spam started back in 1994 when two lawyers advertized their green card scam in each and every usenet newsgroup. Some digging around revealed much earlier attempts in 1978 on the precursor to the modern Internet. It just goes to show you're never around for too long to learn something new.» isc.sans.org/diary.php?s ··· 1384&rss |
|
|
to pbagrat
I got that today also, the subject was 154543, it had 969 as the body. Also, on another forum I go to there are at least 30 more people who got the same emails. Interesting. |
|
|
I got it from my work and home addresses. I can see my home, but work, strange... 2 different computers and clients. |
|
masrotaj join:2003-07-09 Fort Lauderdale, FL |
Me too from an email addy I rarely use . My main address was also used |
|
jimkyleBtrieve Guy Premium Member join:2002-10-20 Oklahoma City, OK |
to pbagrat
I got two of them this morning. The one I traced using DNSStuff originated at host210-51.pool8542.interbusiness.it according to the initial "received from" header.
FWIW I've also been getting pounded by having my domain spoofed as the source for spam. Even though I have SPF on the domain, I'm still getting more than 100 bounce notices daily. All are trapped out by PopFile and Eudora's junk mail filters, but it's definitely a drag... |
|
masrotaj join:2003-07-09 Fort Lauderdale, FL |
Just a thought I notice someone wrote they use thunderbird for their e-mail client. I am also using thunderbird. Is anyone using a different client |
|
jimkyleBtrieve Guy Premium Member join:2002-10-20 Oklahoma City, OK |
jimkyle
Premium Member
2006-Jun-6 12:28 pm
I'm using Eudora. |
|
|
to Link Logger
said by Link Logger:Now the fun part is where did they get these from as I don't generally use this email address in public, so it wasn't harvested from news groups for example. I wonder if someone got someone's site or email list? Am I missing something here or did you just post your email address to a public discussion group in your email headers? From: Mcneillb <mcneillb@shaw.ca> ;) Aaron |
|
DrewCapuGiant Diehard join:2001-12-19 California |
to pbagrat
As long as neither of the 3-digit numbers are 666, you should be fine. /me hasn't received any weird 6/6/6 emails yet today. |
|
|
to wishera
Now that someone seems to have it, its of no value keeping it secret as now every spammer on the planet will have it.
Most spam is sent to randomly created addresses, but this case seems to be interesting, in the sense of how did they get it to begin with and why does it seem they got a whole bunch at the same time.
Blake |
|
|
to pbagrat
I haven't gotten this one yet but am sure that I will. Unless, my ISP has already filtered it out of my incoming mail. Once again, what a waste of time and space. It's too bad that these Spammers can't spend their time doing something worth while. |
|
WorfusThe cake is a lie join:2001-01-23 Richfield, WI |
to Link Logger
said by Link Logger:...how did they get it to begin with and why does it seem they got a whole bunch at the same time. Perhaps the NSA sprang a leak overnight. |
|
|
said by Worfus:Perhaps the NSA sprang a leak overnight. They always leak information, typical government group, good at collecting info, better at leaking it. Blake |
|
Fobulous Premium Member join:2002-08-14 Missouri City, TX |
to pbagrat
got the same email too, body is 969, country of orgin is poland. quote: Received: from x.com (bwi56.neoplus.adsl.tpnet.pl [83.29.232.56]) by mx.gmail.com with SMTP id m16si6509308nfc.2006.06.06.07.14.37; Tue, 06 Jun 2006 07:14:37 -0700 (PDT) Received-SPF: neutral (gmail.com: 83.29.232.56 is neither permitted nor denied
|
|
|
to pbagrat
» groups.google.com/group/ ··· f70e0fc7That person there shows how this can be done using telnet, FYI. I didn't know that was possible. |
|
|
to pbagrat
So what information could someone gleam from this? If the mail was delivered or not? Something about the servers, network infrastructure, what? I doubt someone is doing this just for the sake of doing this.
Blake |
|
|
to masrotaj
Outlook XP for my home pop account and Outlook for my work exchange account. |
|
2 edits |
to pbagrat
I wonder why the body of the message is either 5556 or 969 in mostly all of these emails?
And many people who get the 5556 in the body have 586876 as the subject. |
|
|
to pbagrat
Count me in too . . . I got the same E-mail on my work E-mail (navy.mil). |
|
|
to jakoe420
said by jakoe420:I wonder why the body of the message is either 5556 or 969 in mostly all of these emails? Tuning of a new spamming system perhaps? Blake |
|
CajunTekInsane Cajun Premium Member join:2003-08-08 Arlington, TX |
CajunTek
Premium Member
2006-Jun-6 2:23 pm
said by Link Logger:said by jakoe420:I wonder why the body of the message is either 5556 or 969 in mostly all of these emails? Tuning of a new spamming system perhaps? Blake That would be my bet |
|
ReVeLaTeD Premium Member join:2001-11-10 San Diego, CA |
to pbagrat
I got it in Gmail. Spam/phishing filter didn't catch it. |
|