Lking Posted November 28, 2012 Share Posted November 28, 2012 I have gotten a couple of these odd spam lately. The subject is a number, no text, just 487 jpg attachments for a total of 6.1M in pictures. Most of the jpgs also have long numbers for titles. Opened some of the jpgs to see maps, religious images, Japanese(?) characters, some "western" art, pictures of statues. One image is repeated over 50 time. Don't see the purpose. It seems harmless. Sorry about including the header but due to the size (>5M) my ISP blocks the outgoing email to sc. Any ideas? From - Wed Nov 28 14:59:49 2012 X-Account-Key: account2 X-UIDL: U$O!!lV-!!;6\!!(EC!! X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: X-Symantec-TimeoutProtection: 0 X-Symantec-TimeoutProtection: 1 X-Symantec-TimeoutProtection: 2 X-Symantec-TimeoutProtection: 3 X-Symantec-TimeoutProtection: 4 X-Symantec-TimeoutProtection: 5 X-Symantec-TimeoutProtection: 6 X-Symantec-TimeoutProtection: 7 X-Symantec-TimeoutProtection: 8 X-Symantec-TimeoutProtection: 9 X-Symantec-TimeoutProtection: 10 Return-Path: <233558938299[at]dysgo.org> Received: from mail1.radix.net (mail1.radix.net [207.192.128.31]) by pop2.radix.net (8.13.4/8.12.2) with ESMTP id qASGEP83023444 for <xxxy>; Wed, 28 Nov 2012 11:14:26 -0500 (EST) Received: from goldnew.radix.net (goldnew.radix.net [207.192.128.21]) by mail1.radix.net (8.13.4/8.13.4) with ESMTP id qASGDLlf019584 for <xxxz>; Wed, 28 Nov 2012 11:13:21 -0500 (EST) Received: from server94.dysgo.org ([199.116.118.24]) by goldnew.radix.net (8.13.5/8.12.2) with ESMTP id qASGDAaK020975 for <xxx>; Wed, 28 Nov 2012 11:13:10 -0500 (EST) X-Real-To: <xxx> Received: from server94.dysgo.org (server94.dysgo.org [199.116.118.24]) by server94.dysgo.org (Postfix) with ESMTP id B4658237821E for <xxx>; Wed, 28 Nov 2012 19:05:57 +0300 (MSK) Message-ID: <18248114.1354118757709.JavaMail.959952320785[at]server94.dysgo.org> Date: Wed, 28 Nov 2012 19:05:57 +0300 (MSK) From: 233558938299[at]dysgo.org To: xxx Subject: 933854890065 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_96_31706449.1354118757578" X-UIDL: U$O!!lV-!!;6\!!(EC!! Status: U ------=_Part_96_31706449.1354118757578 Content-Type: text/html Content-Transfer-Encoding: 7bit <HTML><HEAD> <META content="text/html; charset=utf-8" http-equiv=Content-Type> </HEAD> <BODY> <P><IMG border=0 hspace=0 alt="" align=baseline src="cid:391435062178.jpg" /); <P><IMG border=0 hspace=0 alt="" align=baseline src="cid:186055462795.jpg" /); . . . Link to comment Share on other sites More sharing options...
Farelf Posted November 28, 2012 Share Posted November 28, 2012 ...Sorry about including the header but due to the size (>5M) my ISP blocks the outgoing email to sc. ...Thank goodness! Maybe it's a plot to overload the internet ... nah, seriously, there are a number of jpg exploits, I wouldn't go opening those on my machine (go to toastedspam or similar if curious, where you can paste in the Base64 code of any individual attachment and let them render it). May well be pointless, not safe to assume so though. If I were a hacker I would send one or two exploit images within a raft of harmless ones. If concerned, you could try forwarding (some) pictures (without locally viewing them) to VirusTotal or similar but I suspect detection rates would be low, even if they are malicious - still, that would expose them to a whole battery of AVs for analysis. I take it you're not using a mail client that would allow you to "detach" these pictures before forwarding? Many do but, if there's only a few of these spam, it's certainly not worth turning your world upside down finding and installing one to chase a solution (life's too short). Maybe just "view source" and use the webpage submission form method to paste full headers and just a token amount of the body content. That's about all you could do with these (yes, it is permissible to "trim" such content, whichever submission method used - SC would anyway, if over 50K). Aaagh M$ has much to answer for when they sprang HTML e-mail upon an unsuspecting world back in '99 (or was it '98?). It would be good to eliminate a few of these electron botherers you are seeing but, unfortunately, theirs is not (yet) a capital offence. In a properly-ordered society however ... Link to comment Share on other sites More sharing options...
Lking Posted November 29, 2012 Author Share Posted November 29, 2012 I take it you're not using a mail client that would allow you to "detach" these pictures before forwarding? Many do but, if there's only a few of these spam, it's certainly not worth turning your world upside down finding and installing one to chase a solution (life's too short). Maybe just "view source" and use the webpage submission form method to paste full headers and just a token amount of the body content. That's about all you could do with these (yes, it is permissible to "trim" such content, whichever submission method used - SC would anyway, if over 50K). No it doesn't "detach." The first one I got caused my ISP to choke when I tried to quick report it. - How hard do you have to look at an email "Subject: 933854890065, From: 233558938299[at]dysgo.org" to know its spam? Having caused a problem the second one got a second look, even with my short life. <g /> Hadn't though about webpage reporting. Two spam in as many weeks is really down in the grass, given the 100s of spam I report daily. Given the time required to load and display 400+ images inline, seems most people would kill/delete the email. But that assumes the general public has more common sense than there is evidence to support. Reducing the size, changing the subject does the same for spammers. Aaagh M$ has much to answer for when they sprang HTML e-mail upon an unsuspecting world back in '99 (or was it '98?). It would be good to eliminate a few of these electron botherers you are seeing but, unfortunately, theirs is not (yet) a capital offence. In a properly-ordered society however ... Agree with you on that! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.