Re: largest "spam blasts" in the past twelve months in http://www.dslreports.com/forum/r18165264 en Sat, 28 Nov 2009 20:39:46 EDT Sat, 28 Nov 2009 20:39:46 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18167003 antiphishing :
said by AdamD See Profile :

We don't have a spam problem. We have a stupidity problem. Actually, stupidity epidemic... A dog or cat can be taught not to do something, yet there are people stupid enough to open those attachments.

A.
I couldn't say it any better. :D
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18167003 Fri, 13 Apr 2007 19:33:41 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18166499 AdamD : We don't have a spam problem. We have a stupidity problem. Actually, stupidity epidemic... A dog or cat can be taught not to do something, yet there are people stupid enough to open those attachments.

A.]]> http://www.dslreports.com/forum/remark,18166499 Fri, 13 Apr 2007 18:01:18 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18165444 antiphishing :
said by kpatz See Profile :

Some other things I've noticed: every one has two Received: headers. This makes it look like each email is being relayed through another SMTP server, but in my limited testing, the IP address that sent the spam didn't respond on port 25, so the second Received: is likely spoofed with a random IP.

I am starting to notice that the IP number in the "X-Originating-IP" line doesn't respond to port 25, 137,139 or 443.

I am thinking the Trojan infected machine (66.8.213.116) is being used to send the junk email at a much higher port number.

canonical name cpe-66-8-213-116.hawaii.res.rr.com.
aliases
addresses 66.8.213.116

----------
X-Apparently-To: sgtpepper_1967@yahoo.com via 216.252.121.75; Fri, 13 Apr 2007 00:48:54 -0700
X-YahooFilteredBulk: 66.8.213.116
X-Originating-IP: [66.8.213.116]
Return-Path:
Authentication-Results: mta257.mail.re4.yahoo.com from=wsc.edu; domainkeys=neutral (no sig)
Received: from 66.8.213.116 (HELO cpe-66-8-213-116.hawaii.res.rr.com) (66.8.213.116) by mta257.mail.re4.yahoo.com with SMTP; Fri, 13 Apr 2007 00:48:52 -0700
Received: from ijg ([149.104.110.89]) by cpe-66-8-213-116.hawaii.res.rr.com with Microsoft SMTPSVC(6.0.3790.0); Thu, 12 Apr 2007 21:48:18 -1000
Message-ID:
Date: Thu, 12 Apr 2007 21:48:18 -1000
From: "Postmaster"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: Virus Detected!
----------


--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18165444 Fri, 13 Apr 2007 14:59:36 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18165372 kpatz : They're using a botnet to distribute these, so chances are every copy you see will come from a different IP.

The Thunderbird header is likely hard-coded in the template used to construct the emails.

Some other things I've noticed: every one has two Received: headers. This makes it look like each email is being relayed through another SMTP server, but in my limited testing, the IP address that sent the spam didn't respond on port 25, so the second Received: is likely spoofed with a random IP.

The GIF files containing the message are formatted uniquely. The name of the GIF varies, as well. The width varies from one to next, causing the text to wrap/format differently across different samples. Of course, the attachment name and password are always different, too. The passwords seem to always be three letters, two numbers, so this is probably a fixed random password generator algorithm.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,18165372 Fri, 13 Apr 2007 14:45:44 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18165264 antiphishing :
said by kpatz See Profile :

Most recent one I got is:


Seems like the headers are consistent, particularly the User-Agent header. It's always that particular build of Thunderbird. ;)
I noticed that particular point also regarding the Thunderbird build number.

I thought the junk email along with the Trojans where coming from a single zombie machine with the Thunderbird email software installed.

After looking at all the emails again, at three of the spams infected with the malware had different IP numbers associated with them, which leads me to believe that the information is forged.

X-Originating-IP: [189.169.127.165]
X-Originating-IP: [201.79.68.55]
X-Originating-IP: [162.39.116.180]
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18165264 Fri, 13 Apr 2007 14:23:33 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18165232 d0nni3q : It's as simple as denying *.zip files for me. :-D]]> http://www.dslreports.com/forum/remark,18165232 Fri, 13 Apr 2007 14:17:31 EDT Re: largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18165167 kpatz : Most recent one I got is:

quote:
From: "Support Team" <***@cfl.rr.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: (my wifey's address)
Subject: Virus Detected! ***VIRUS DETECTED: (encrypted)***
X-Orig-Subject:Virus Detected!
Attachment: removal-66943.zip


My Linux firewall/email server box adds the ***VIRUS DETECTED*** message to the subj. line when it detects nasties.

Seems like the headers are consistent, particularly the User-Agent header. It's always that particular build of Thunderbird. ;)
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,18165167 Fri, 13 Apr 2007 14:03:15 EDT largest "spam blasts" in the past twelve months http://www.dslreports.com/forum/remark,18164875 antiphishing : From: "Postmaster"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: Virus Detected!
File name: patch_92657.zip
File size: 38kb

From: "Support Team Robot"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Alert!
File name: bugfix_16471.zip
File size: 38kb

From: "Support Team"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Activity Detected!
File name: hotfix_25203.zip
File size: 38kb

From: "Customer Support Center"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Detected!
File name: patch_1482.zip
File size: 38kb
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18164875 Fri, 13 Apr 2007 13:04:49 EDT