Sign in to follow this  
Followers 0

Phishing attempts to my spamcop account

5 posts in this topic

Delivered-To: <myemail>

Received: (qmail 4960 invoked from network); 17 Sep 2010 10:58:28 -0000

Received: from unknown (HELO ([])

(envelope-sender <ox[at]>)

by (qmail-1.03) with SMTP

for <myemail>; 17 Sep 2010 10:58:28 -0000

X-IronPort-Anti-spam-Result: AtERAFvmkkzYmsMxf2dsb2JhbAAKBJQihW2HdxUBAQoKDBgEHowGhwKtf4VBBIRGiH0

Received: from ([])

by with ESMTP; 17 Sep 2010 03:58:27 -0700

Received: from unknown (HELO ([])

by with SMTP; 17 Sep 2010 06:58:27 -0400

Received: (qmail 17745 invoked by uid 1010); 17 Sep 2010 10:58:27 -0000

Delivered-To: spamcop-net-<myname>[at]

Received: (qmail 17681 invoked from network); 17 Sep 2010 10:58:26 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8


X-spam-Status: hits=0.1 tests=HTML_MESSAGE,RDNS_NONE version=3.2.4

Received: from unknown (

by with QMQP; 17 Sep 2010 10:58:26 -0000

Received: from unknown (HELO YBTBJES) (

by with SMTP; 17 Sep 2010 10:58:25 -0000

Received: from ( [])

by with esmtp

id 5A849F-000946-63

for ljl[at]; Fri, 17 Sep 2010 14:58:19 +0300

Received: from samlab ( by (LSMTP for Windows NT v1.1b) with SMTP id <3.C0CBAD1D[at]>; Fri, 17 Sep 2010 14:58:19 +0300

Date: Fri, 17 Sep 2010 14:58:19 +0300

From: "Winfred Joiner" <ox[at]>

To: ljl[at]

Message-ID: <57114311.39684104853195612400.JavaMail.ita[at]samlab>

Subject: Please help me

MIME-Version: 1.0

Content-Type: multipart/mixed;




Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 7bit

Please help me to take over the accounting duties during the period Jackie will be gone. Make arrangements so that you will be able to issue checks and know where to deposit received checks.


Content-Type: text/html; name="52399xls.html"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="52399xls.html"














Share this post

Link to post
Share on other sites

Thanks mplungjan. Any idea what that bit of JavaÐ…cript (the HTML attachment) you were sent does?

Can you refer to these things by way of a Tracking URL rather than as a paste-in of the actual spam? The forum formatting and badword filter changes stuff posted here, there can sometimes be live links to bad places and, although munged slightly, there is exposure of (usually) innocent addresses etc. when you post the spam in public.

Share this post

Link to post
Share on other sites

Well, I'm not a coder's bootlace (the more refined way to say it, if the phrase seems unfamiliar) but ...

From several different code fragments in the (decoded) attachment it seems to be (slightly?) related to jsunpack - probably an unpacker for a lightning download then - though no source for the download is apparent to me. Lots of people might get "caught" by such a thing (if they have scripting allowed on their browser/mail client) if there is an actual payload and whatever that ultimate payload's function(s) might be would be anyone's guess - but identity theft is potentially the most serious.

Nasty - or not sent by anyone wishing you well anyway.

Share this post

Link to post
Share on other sites

FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.

Really low spam assassin score on most of these. Successful filtering is usually by CBL or one of the other BLs.




Share this post

Link to post
Share on other sites
FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.

Well worth raising SL, seems it was and is a 'zero day' sort of thing. Zero detections from the massed AV engines at VirusTotal when the O/P first raised the topic but now my resident Norton says Trojan.Webkit!html -
Discovered: October 9, 2007

Updated: October 9, 2007 4:42:01 PM

Type: Trojan

Infection Length: Varies

Systems Affected: Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000

Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.

A successful compromise by a malicious Web server may result in additional malicious files being downloaded to the compromised computer

Seems the 'unescape' coding within the scri_pt may be variable and/or some random characters outside the active body of code may be variable - which successfully defeats initial detection - the O/P's version was not picked up by Norton until yesterday's/today's updates. Haven't specifically checked yours but that's what I think is happening - the hash values will be variable, the code content may appear variable until unescape codes resolved, the redirection destination (which is well obfuscated, I can't see it) may be variable, very likely each day's version of the thing will be undetectable as a threat to most scanners for some days after release.

HTML attachments/content in spam have been around for ages - the prudent assumption is, if they are in spam they probably *are* malicious but this is the first time I have personally verified an instance. Well, apart from a few web bugs (can't assume they are history either - to keep a step ahead, spammers sometimes step backwards). The 'inconvenience' of safe practice (no scripting allowed, no preview of email, view text only, don't read obvious spam at all, don't open unknown attachments or click on unknown links, query/prevent redirections) seems to be vindicated once again.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0