mgolden Posted May 6, 2010 Share Posted May 6, 2010 [edit] Links broken - all still alive at time of checking. The distribution method is normal for Google Groups (click the link and download the zip). I submitted one of those files to virustotal: File size: 136966 bytes MD5 : f5dd55f1889a864e71315c69e7cdfcb4 SHA1 : 7d8238e6bfa69d109c8030b24c7b4cb6bf813062 Result: 13/40 (32.50%) Mostly identified as Gen:Variant.Renos.26 trojan horse, Virtool.Win32.Obfuscator.ha!a (v), etc. "VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners." - http://www.microsoft.com/security/portal/T...dia/Browse.aspx Yep, yet another attempt at assimilation.[/color] I submitted one of the setup.zip attachments that are coming in every few minutes to virustotal. It had a 22/41 hit with most identifications being FakeAV. I've got the SpamCop email A/V option enabled but it NEVER catches anything. Any ideas as to why? Link to comment Share on other sites More sharing options...
dbiel Posted May 6, 2010 Share Posted May 6, 2010 I am begining to think that Cisco/IronPort/SpamCop could care less about the Spamcop Phishing email that keep going out. There is absolutely no reason why any mail with an attached zip file and bearing the key words that would flag a phishing attempt should be getting into our in boxes unless spamassassion has been turned off or white lists are being used. To think that these phishing emails are getting spamAssassin scores of under 5 tells me that nobody is minding the store at SpamCop. Link to comment Share on other sites More sharing options...
Farelf Posted May 6, 2010 Share Posted May 6, 2010 I submitted one of the setup.zip attachments that are coming in every few minutes to virustotal. It had a 22/41 hit with most identifications being FakeAV. I've got the SpamCop email A/V option enabled but it NEVER catches anything. Any ideas as to why? The purpose of virustotal is to try enough AV engines to *almost* guarantee detection by some of them if it really is a viral load (and to alert the others that they need to extend their detection). But, sadly, no single product can be relied upon to catch most early-issue viruses/downloaders, etc. I don't know what the SC email uses for AV but the viruses can be trivially modified so easily to stay in front of signature detection that almost any AV is going to be fairly-well useless against the leading edge of an attack. The key, as dbiel suggests, might be some custom work on the SpamAssassin keywords and so-on (especially if the attack mail is supposed to look 'official', therefore some words are going to be nigh-on unavoidable). I don't know how feasible that might be (but it's not happening). If you're getting these things in your in-box every few minutes then the situation is really serious. Link to comment Share on other sites More sharing options...
michaelanglo Posted May 6, 2010 Share Posted May 6, 2010 I've got the SpamCop email A/V option enabled but it NEVER catches anything. Any ideas as to why? The SpamCop webmail A/V was altered some years back to silently discard anything it found. This followed a period where floods of notification emails were just as much trouble as the viruses themselves. SpamCop webmail tried restoring the notification at least once but the flood problem proved intractable. So if any viruses are being caught by SpamCop mail, sorry, you are not told. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 8, 2010 Share Posted May 8, 2010 The SpamCop webmail A/V was altered some years back to silently discard anything it found. This followed a period where floods of notification emails were just as much trouble as the viruses themselves. SpamCop webmail tried restoring the notification at least once but the flood problem proved intractable. So if any viruses are being caught by SpamCop mail, sorry, you are not told. In fact, I'm not sure you can turn it off. I don't think the switch does anything at this point. Link to comment Share on other sites More sharing options...
petzl Posted May 8, 2010 Share Posted May 8, 2010 In fact, I'm not sure you can turn it off. I don't think the switch does anything at this point. Some years ago JT turned it/notification off by default (the "switch" does nothing) never been told it is back on (and don't want it on, as it is a pest) Link to comment Share on other sites More sharing options...
pilgrim1 Posted May 10, 2010 Share Posted May 10, 2010 Hi Folks, Not that I think for a second anyone would be fooled by this, I just wondered if anyone else has being seeing these type of emails lately. They seem to be dripping at an ever increasing rate into my Spamcop account in recent days:- The come in with following of Subject :- setting for your mailbox intramore[at]spamcop.net are changed I've also seen settings for your mailbox whitefort[at]spamcop.net are changed and various others. The purport to come from From: "spamcop.net support" And the body contains the following :- SMTP and POP3 servers for intramore[at]spamcop.net mailbox are changed. Please carefully read the attached instructions before updating settings. http://mamapapabrat.googlegroups.com/web/setup.zip Hmm, setup.zip, must be OK, I'll be downloading that then For anyone interested, if you are fool enough to follow the link (no I wasn't) it takes you to a Google groups page with a download link on it. should you be really hard of thinking and click this link, it will in turn attempt to download the following virus :- (from a URL so long it's not worth posting and possibly generated in real time) Trojan.Win32.FraudPack.avmz According to Kaspersky and is helpfully listed as "Performs potentially dangerous activity" and seems to be the usual :- bot conrol, zombie, master of the universe type of stuff. The spamcop header for this one looks like this :- Return-Path: <spirits7[at]redwordsaid.com> Received: (qmail 4832 invoked from network); 9 May 2010 02:40:36 -0000 X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7 X-spam-Level: ** X-spam-Status: hits=2.9 tests=DOS_OE_TO_MX,RDNS_NONE,STOX_REPLY_TYPE version=3.2.4 So there you have it, well worth the read. Regards CC [live link broken] Link to comment Share on other sites More sharing options...
Farelf Posted May 10, 2010 Share Posted May 10, 2010 Precisely the same discussed above Ok, I suppose that thread is getting a trifle long and mentions many different types, but I think I will merge these anyway. Link to comment Share on other sites More sharing options...
pilgrim1 Posted May 10, 2010 Share Posted May 10, 2010 Precisely the same discussed above Ok, I suppose that thread is getting a trifle long and mentions many different types, but I think I will merge these anyway. Hi Farelf, sorry I didn't see this in the thread, wood and trees and all that, apologies, just trying to be helpful. Regards CC Link to comment Share on other sites More sharing options...
mgolden Posted May 10, 2010 Share Posted May 10, 2010 http://mamapapabrat.googlegroups.com/web/setup.zip[/b] Yea, the mamapapabrat version came in all weekend long. It's obvious no one is manning the abuse desk at Google Groups on the weekend and the hackers obviously know it. Here is my up to date list of links since my last post: Friday: hxxp://groups.google.com/group/ecd112 hxxp://groups.google.com/group/bkaboy Saturday & Sunday hxxp://groups.google.com/group/mamapapabrat Today hxxp://groups.google.com/group/mimozkaa hxxp://groups.google.com/group/iglaaa hxxp://groups.google.com/group/smogggly hxxp://groups.google.com/group/partersss hxxp://groups.google.com/group/zippiiix hxxp://groups.google.com/group/creterx hxxp://groups.google.com/group/tacumbex hxxp://groups.google.com/group/mozilloid hxxp://groups.google.com/group/craterx hxxp://groups.google.com/group/creterx hxxp://groups.google.com/group/perlox hxxp://groups.google.com/group/morozx hxxp://groups.google.com/group/tacumbex hxxp://groups.google.com/group/traxers hxxp://groups.google.com/group/zeraxer All reported to Google abuse, for what good it will do. Edit. Just checked. All these links are still active. Even the ones reported Friday. Link to comment Share on other sites More sharing options...
Farelf Posted May 11, 2010 Share Posted May 11, 2010 Hi Farelf, sorry I didn't see this in the thread, wood and trees and all that, apologies, just trying to be helpful.Yep, understand that and your efforts are appreciated. Yea, the mamapapabrat version came in all weekend long. It's obvious no one is manning the abuse desk at Google Groups on the weekend and the hackers obviously know it. ... All reported to Google abuse, for what good it will do. Edit. Just checked. All these links are still active. Even the ones reported Friday. Yes, perhaps it is as hypothesised before - it may take a certain critical mass of reports to get the take-down fast-tracked - otherwise some regular and slower verification process is invoked. I guess some other reporters are running out of steam. But if no-one reports they never get kicked off. We've seen Google Groups and other services abused before. Eventually the service gets on top of the abuse and the spammers look for an easier target. Until next time. Part of the evolutionary/'product cycle' process which we must endure. Since these are (as yourself, pilgrim1 and I have verified) actual zombification-type exploit attacks with the potential to degrade the internet even more it seems remiss of GG not to adopt a greater sense of urgency. Yet 'they' (owners) never do. :angry: Link to comment Share on other sites More sharing options...
MyNameHere Posted May 11, 2010 Share Posted May 11, 2010 I wonder if reporting this spam/virus scam to the AV vendors instead of to Google would get any more traction? I would think that someone spreading malware would be of interest to McAfee, Symantec, AVG, and so on. They might be able to influence Google into taking some action. ? Link to comment Share on other sites More sharing options...
dbiel Posted May 11, 2010 Share Posted May 11, 2010 I also have received the same new phishing attempt. But what bothers me is why no one at SpamCop has done anything to keep them out of our inboxes. Even I could build a simple filter that would deal with most of these as there are more than enough common pieces of info like a .zip file attached, from: spamcop.net support, But then again, the personal filters at SpamCop do not run if you are using IMAP or POP to access you SpamCop.net mail. So the only assumption I find possible to draw is that nobody at SpamCop gives a damn about doing anything about the ongoing SpamCop Phishing attempts. If they did, we would be finding them in our held mail folder, not in our inbox. edit After looking in my heldmail folder (I very seldom check it anymore) I find a lot of phishing emails there, so maybe my previous post was a bit too harsh. Link to comment Share on other sites More sharing options...
MyNameHere Posted May 11, 2010 Share Posted May 11, 2010 I also have received the same new phishing attempt. But what bothers me is why no one at SpamCop has done anything to keep them out of our inboxes. <snip> edit After looking in my heldmail folder (I very seldom check it anymore) I find a lot of phishing emails there, so maybe my previous post was a bit too harsh. Yep, most of them are in my Held Mail, too. A few in the Inbox. It's just that there are so many--you don't realize how many until you look in the Held Mail. Which leads me to another question. I suppose it doesn't cost the spammer/hacker very much to spew these out, but how many "hits" can they be getting? Are they doing this just to annoy us? Is this something they're doing just to SpamCop or is it other mail service providers, too? I haven't seen it on my Hotmail or Gmail or ISP accounts so far. Link to comment Share on other sites More sharing options...
Farelf Posted May 11, 2010 Share Posted May 11, 2010 I wonder if reporting this spam/virus scam to the AV vendors instead of to Google would get any more traction? I would think that someone spreading malware would be of interest to McAfee, Symantec, AVG, and so on. They might be able to influence Google into taking some action. If you submit samples to VirusTotal the signature gets passed to any other participating AVs who want to update. Seems not all do. Not sure Google takes much notice of anybody but that's probably unfair....Are they doing this just to annoy us? Is this something they're doing just to SpamCop or is it other mail service providers, too? I haven't seen it on my Hotmail or Gmail or ISP accounts so far. As commented back in an earlier response this does not seem unique to SC mail accounts. Hotmail and Gmail probably do a better job of filtering and silently dropping anything sent to those accounts. One of the reasons the total volume of spam is pretty much an unknown - like "If a tree falls in a forest and nobody hears it ...?" Link to comment Share on other sites More sharing options...
MyNameHere Posted May 11, 2010 Share Posted May 11, 2010 Thanks, Farelf. Sorry I missed the earlier post that covered both of my questions. I skimmed a little too quickly. But I want my mail service to let me decide what is junk and what isn't, so I'm glad SC keeps all of it (except those with virus loads attached). No matter how good an automated system is, it will occasionally "execute" some "innocent" emails. Link to comment Share on other sites More sharing options...
dra007 Posted May 11, 2010 Share Posted May 11, 2010 This may be unrelated but I am getting an unusual high number of e-mails requesting me to inspect attachments. Fortunately they get identified tagged removed to the virus collection and defanged by my postini filter, this is a cute example...but I have seen as many as 1-200 a day of these poining to various sources and having various type of malware attached even though the content seems identical (they must love me): Received: from source ([90.211.253.112]) by exprod7mx251.postini.com ([64.18.6.11]) with SMTP; Tue, 11 May 2010 12:10:43 EDT Received: from 90.211.253.112 by dev.null; Tue, 11 May 2010 17:10:37 +0000 To: X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Msmail-Priority: Normal X-PSTN-Levels: (S: 1.83648/99.90000 CV: 0.0000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-PSTN-Neptune: 17/16/0.94/86 X-Priority: 3 X-Pstnvirus: PSTN-MalwareDetection Date: Tue, 11 May 2010 17:10:37 +0000 From: "Katheryn Lundy" <darrenoi371[at]HomeSoul.com> To: <unknown[at]pitt.edu> Subject: New resume. Please review my CV, Thank you! Question is why would I even want to review anyone's cv? Link to comment Share on other sites More sharing options...
Farelf Posted May 11, 2010 Share Posted May 11, 2010 ...This may be unrelated but I am getting an unusual high number of e-mails requesting me to inspect attachments.... Question is why would I even want to review anyone's cv? Same approach but adapted to institutions and businesses. They will try anything that might coincide with your responsibilities. Or to fool you into forwarding it to a colleague whose responsibility it is (who then has his/her guard down a little bit). Probably works quite well in smaller organizations with broader individual scope of function and anything slightly misdirected is routinely passed on (I know I've almost been caught a few times). Link to comment Share on other sites More sharing options...
mgolden Posted May 12, 2010 Share Posted May 12, 2010 Heh. [19:45 EDT] Please be alert to the fact that there are a lot of phishes being sent pretending to be mail about your SpamCop email account -- they may contain an attachment or may be just a link to googlegroups. Do not open the attachment; do not click the link. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 14, 2010 Share Posted May 14, 2010 Man I am enjoying greylisting and wondering what you are talking about I have revceived none of these and have received 1 spam in the held mail in the last 3 weeks. Link to comment Share on other sites More sharing options...
moltar Posted May 30, 2010 Share Posted May 30, 2010 Admin edit: Moved this 'new' Post' from the Reporting Help Forum and merged it into this existing E-mail Account Forum Topic/Discussion. PM sent to advise of this action. Replaced my domain with mydomain.com. The email is fwded from spamcop to my other account. Received: from m6b.mxes.net ([unix socket]) by m6b.mxes.net (Cyrus v2.3.12) with LMTPA; Sat, 29 May 2010 21:51:00 -0400 X-Sieve: CMU Sieve 2.3 Return-Path: <helpdesk[at]spamcop.net> Received: from 216.86.168.176 by m6b.mxes.net (bayesd) with LMTP id 1275184260-83382-10 for <rf_mydomain.com[at]ms6.mxes.net>; Sat, 29 May 2010 21:51:00 -0400 (EDT) Received: from local_scanner.mxes.net (mxout-01.mxes.net [216.86.168.176]) by mxout-01.mxes.net (Postfix) with ESMTP id D4BE98A110 for <rf[at]mydomain.com>; Sat, 29 May 2010 21:50:59 -0400 (EDT) Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mxin.mxes.net (Postfix) with ESMTPS id 5455B8A10A for <rf[at]mydomain.com>; Sat, 29 May 2010 21:50:59 -0400 (EDT) Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217]) by c60.cesmail.net with SMTP; 29 May 2010 21:50:54 -0400 Received: (qmail 21502 invoked by uid 1010); 30 May 2010 01:50:58 -0000 Cc: recipient list not shown:; Delivered-To: spamcop-net-moltar[at]spamcop.net Received: (qmail 21405 invoked from network); 30 May 2010 01:50:48 -0000 Received: from unknown (192.168.1.88) by filter7.cesmail.net with QMQP; 30 May 2010 01:50:48 -0000 Received: from avas104.indosat.net.id (219.83.54.104) by mxin1.cesmail.net with SMTP; 30 May 2010 01:52:49 -0000 X-IronPort-Anti-spam-Filtered: true X-IronPort-Anti-spam-Result: AoUOAK9gAUzKmzKE/2dsb2JhbACDFkOBfox3ixiBRogvpCqCeoNOiQIOgRiBSQgFgS9rBINGiU4Bgxw X-IronPort-AV: E=Sophos;i="4.53,325,1272819600"; d="scan'208";a="38903006" Received: from sumatera.indosat.net.id (HELO ms1.indosat.net.id) ([202.155.50.132]) by avas114.indosat.net.id with ESMTP; 30 May 2010 08:50:36 +0700 Received: from banda (202.155.50.142) by ms1.indosat.net.id (7.3.104) id 4BDFAC190039A3B4; Sun, 30 May 2010 08:39:39 +0700 Message-ID: <31284045.391721275183579719.JavaMail.defaultUser[at]defaultHost> Date: Sun, 30 May 2010 08:39:39 +0700 (WIT) From: "helpdesk[at]spamcop.net" <helpdesk[at]spamcop.net> Reply-To: customer_centre11[at]live.com Subject: Your Account Update MIME-Version: 1.0 Content-Type: text/plain;charset="UTF-8" Content-Transfer-Encoding: 7bit X-SpamCop-Checked: 219.83.54.104 202.155.50.132 202.155.50.142 X-Virus-Scanned: ClamAV, Sophos X-spam-Score: 1.6 X-spam-Check: Enabled,6.0,13.0,1,1,42,1,0,0,1,1,0,0,0,[spam], X-spam-Status: No, score=1.6 threshold=6.0,13.0 X-spam-Sys-BayesResult: Unsure, 0.627370 X-spam-Report: Content analysis details: -0.0 SPF_PASS SPF: sender matches SPF record 1.6 MISSING_HEADERS Missing To: header X-spam-Scoring: 1,6 X-Originating-IP: 216.154.195.49 X-Envelope-To: <rf[at]mydomain.com> X-EsetId: 43E7BC27AF5D190911AB Dear spamcop Customer There is an on going changes/upgrading in your E-mail Account,please send us your E-mail ID and password to enter into our database operating system for upgrading in other to avoid your account be close Link to comment Share on other sites More sharing options...
agsteele Posted May 30, 2010 Share Posted May 30, 2010 Man I am enjoying greylisting and wondering what you are talking about I have revceived none of these and have received 1 spam in the held mail in the last 3 weeks. Me too... I've been on vacation for a week and returned to 1 message in held mail and two that completely slipped through and a zillion (well maybe a few less) that will need attention when I return to work on Tuesday after our public holiday weekend. None are phishing-style Emails. Grey-listing is exceedingly good and keeping this junk out of my mailbox. Andrew Link to comment Share on other sites More sharing options...
juanv Posted August 18, 2010 Share Posted August 18, 2010 Where does one send a phishing email to report it? Link to comment Share on other sites More sharing options...
turetzsr Posted August 19, 2010 Share Posted August 19, 2010 Hi, juanv, ...Please have a look at SpamCop Wiki article "PhishMail" sections labeled "Reporting mail sources," "Reporting phish websites" and "Reporting to the institutions who were spoofed." Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.