Farelf Posted December 26, 2009 Posted December 26, 2009 Just in case others might receive same/similar and be intrigued, the following may satisfy curiosity without resorting to the risky business of actually opening ... These set the record (for me) for sheer size - 8636 KB, two arriving in close succession, identical, each claiming (in Russian) "this message will be sent only once," this is not spam," and "your address received from open sources." Three lies in two consecutive paragraphs - that is nearing a record too. Anyway, this will represent the spam pair: - http://www.spamcop.net/sc?id=z3606901154z6...329d269093d454z Attachments were: NewPro.rar 395 KB http://www.virustotal.com/analisis/b80da56...e58c-1261800143 MD5...: 8eb062037002d15ba70245d1101695d6 SHA1..: 5c7d8feaab769559c2335d5f751f83832c18962e SHA256: b80da561326e39327dab2115b245966c94505d2aac3dd21ca588d1b600abe58c ssdeep: 12288:BaEf4PIKTn+BHa8JriuuV5TSIJGnWLJnbhX0K1gf:pAQKj+BH5JriRIIYn WJnFD0 and (not seen in the report due to truncation): Secret.rar 5,872 KB http://www.virustotal.com/analisis/b384045...2653-1261800346 MD5...: 3e03adb0a883a0e8b0b6baf0fe0d0355 SHA1..: fce9c58c5bc3fae6f730cf27d1b15da16040c2c2 SHA256: b3840454fee4674af9cd8af43bf6bb1c730b610e5f4f70e7a5ad106eb4572653 ssdeep: 98304:YwInz42pmyUFvd8XIfq/7iDmRn+yjqIRRCuIQC50EoubuQlLUg1cOLSKYP TESi:Yw44imyUFyXViiR95IQCGEou7lLUahAy Both scoring 0/41 at VirusTotal (no threats found) - but note that is no guarantee (particularly right now with many AV providers pausing briefly for festivities). The thrust of this exercise in futility and internet vandalism: "I offer you a special kind of activity on the Internet, which will become your source PASSIVE INCOME!" What it will achieve in the real world is of course to overload many momentarily unattended/uncleared mailboxes, virtually in one hit - in those cases where ISP filtering lets it through at all. Not discounting the possibility that one or both of the attachments is actually malicious. Or the first pair of attachments were harmless and the second pair malicious (I fully checked only one pair, VT deserves a recuperation break too).
petzl Posted December 26, 2009 Posted December 26, 2009 Just in case others might receive same/similar and be intrigued, the following may satisfy curiosity without resorting to the risky business of actually opening ... These set the record (for me) for sheer size - 8636 KB, two arriving in close succession, identical, each claiming (in Russian) "this message will be sent only once," this is not spam," and "your address received from open sources." Three lies in two consecutive paragraphs - that is nearing a record too. Anyway, this will represent the spam pair: - http://www.spamcop.net/sc?id=z3606901154z6...329d269093d454z 62.33.223.53 has no abuse address When you see it's on another block list it pays to refresh SpamCop's "cach" sometimes it will come up with a new one in this case it's unreportable
Farelf Posted December 26, 2009 Author Posted December 26, 2009 ...When you see it's on another block list it pays to refresh SpamCop's "cach" sometimes it will come up with a new one in this case it's unreportableInteresting tip, thanks ... must admit I haven't been that diligent in hitting the 'refresh' link (and there have been occasions when it has been disabled due to overuse or something). I suppose 'misdirected' SC reports might often be a heads-up to networks to adjust their records to catch up with what the spammers already know (somehow), there is a neglected block ripe and ready for exploitation. I am deeply suspicious in this case, it seems such a tiny block, more like a three-card trick than actual reassignment: WHOIS Source: RIPE NCC IP Address: 62.33.223.53 Country: Russian Federation Network Name: RELANT-PA-TTK-NET Owner Name: (MS004215) Relant, From IP: 62.33.223.32 To IP: 62.33.223.63 Allocated: Yes Contact Name: Belogurov Svyatoslav Address: Russia, 184209, Apatity, Murmansk region, Kosmonavtov str, 10 Email: Abuse Email: Phone: +7 (960) 029-90-21 Fax: (Robtex: AS48354 Relant-as LLC "Relant") Whatever - I will try refreshing when there are entries in the polled BLs, as you suggest. At the end of the day if the IP address spams in sufficient volume to be a nuisance it's going to end up on multiple BLs and the IP reputation score is going to be reduced - there's nothing the spammers can do about that - and if the network owner doesn't care then it's their own 'real estate' that is being devalued.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.