Jump to content

All I got for Christmas (well, Boxing Day)


Farelf
 Share

Recommended Posts

Just in case others might receive same/similar and be intrigued, the following may satisfy curiosity without resorting to the risky business of actually opening ...

These set the record (for me) for sheer size - 8636 KB, two arriving in close succession, identical, each claiming (in Russian) "this message will be sent only once," this is not spam," and "your address received from open sources." Three lies in two consecutive paragraphs - that is nearing a record too.

Anyway, this will represent the spam pair: - http://www.spamcop.net/sc?id=z3606901154z6...329d269093d454z

Attachments were: NewPro.rar 395 KB

http://www.virustotal.com/analisis/b80da56...e58c-1261800143

MD5...: 8eb062037002d15ba70245d1101695d6

SHA1..: 5c7d8feaab769559c2335d5f751f83832c18962e

SHA256: b80da561326e39327dab2115b245966c94505d2aac3dd21ca588d1b600abe58c

ssdeep: 12288:BaEf4PIKTn+BHa8JriuuV5TSIJGnWLJnbhX0K1gf:pAQKj+BH5JriRIIYn

WJnFD0

and (not seen in the report due to truncation):

Secret.rar 5,872 KB

http://www.virustotal.com/analisis/b384045...2653-1261800346

MD5...: 3e03adb0a883a0e8b0b6baf0fe0d0355

SHA1..: fce9c58c5bc3fae6f730cf27d1b15da16040c2c2

SHA256: b3840454fee4674af9cd8af43bf6bb1c730b610e5f4f70e7a5ad106eb4572653

ssdeep: 98304:YwInz42pmyUFvd8XIfq/7iDmRn+yjqIRRCuIQC50EoubuQlLUg1cOLSKYP

TESi:Yw44imyUFyXViiR95IQCGEou7lLUahAy

Both scoring 0/41 at VirusTotal (no threats found) - but note that is no guarantee (particularly right now with many AV providers pausing briefly for festivities).

The thrust of this exercise in futility and internet vandalism:

"I offer you a special kind of activity on the Internet, which will become your source PASSIVE INCOME!"

What it will achieve in the real world is of course to overload many momentarily unattended/uncleared mailboxes, virtually in one hit - in those cases where ISP filtering lets it through at all. Not discounting the possibility that one or both of the attachments is actually malicious. Or the first pair of attachments were harmless and the second pair malicious (I fully checked only one pair, VT deserves a recuperation break too).

Link to comment
Share on other sites

Just in case others might receive same/similar and be intrigued, the following may satisfy curiosity without resorting to the risky business of actually opening ...

These set the record (for me) for sheer size - 8636 KB, two arriving in close succession, identical, each claiming (in Russian) "this message will be sent only once," this is not spam," and "your address received from open sources." Three lies in two consecutive paragraphs - that is nearing a record too.

Anyway, this will represent the spam pair: - http://www.spamcop.net/sc?id=z3606901154z6...329d269093d454z

62.33.223.53 has no abuse address

When you see it's on another block list it pays to refresh SpamCop's "cach" sometimes it will come up with a new one in this case it's unreportable

Link to comment
Share on other sites

...When you see it's on another block list it pays to refresh SpamCop's "cach" sometimes it will come up with a new one in this case it's unreportable
Interesting tip, thanks ... must admit I haven't been that diligent in hitting the 'refresh' link (and there have been occasions when it has been disabled due to overuse or something). I suppose 'misdirected' SC reports might often be a heads-up to networks to adjust their records to catch up with what the spammers already know (somehow), there is a neglected block ripe and ready for exploitation. I am deeply suspicious in this case, it seems such a tiny block, more like a three-card trick than actual reassignment:

WHOIS Source: RIPE NCC

IP Address: 62.33.223.53

Country: Russian Federation

Network Name: RELANT-PA-TTK-NET

Owner Name: (MS004215) Relant,

From IP: 62.33.223.32

To IP: 62.33.223.63

Allocated: Yes

Contact Name: Belogurov Svyatoslav

Address: Russia, 184209, Apatity, Murmansk region, Kosmonavtov str, 10

Email:

Abuse Email:

Phone: +7 (960) 029-90-21

Fax:

(Robtex: AS48354 Relant-as LLC "Relant")

Whatever - I will try refreshing when there are entries in the polled BLs, as you suggest. At the end of the day if the IP address spams in sufficient volume to be a nuisance it's going to end up on multiple BLs and the IP reputation score is going to be reduced - there's nothing the spammers can do about that - and if the network owner doesn't care then it's their own 'real estate' that is being devalued.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...