Jump to content

Holiday season spam


Farelf
 Share

Recommended Posts

Ah, they never stop trying to reduce us to penury and our heirs and successors in perpetuity too. With the "holiday season" (AKA Christmas, ta very muchly - too late for Hanukkah this year and Eid al-Fitr is long gone) comes this fake airline itinerary notification, lovingly crafted to emulate (no doubt) in every detail the correct format of the right regional airline for the delivery area, just at the time when millions of people would be expecting real notifications/e-tickets in their inboxes. This one carries a trojan downloader, recognised so far by only a handful anti-virus defenders according to the VirusTotal test battery:

Virus scan results:

https://www.virustotal.com/file/acf692cc8f5...87d85/analysis/

The spam:

http://www.spamcop.net/sc?id=z5439965422z1...438cbeae2858daz

People in the G20 countries can look forward to this one - the gift that keeps on giving for those who actually open that exploit file. Once it would have been only the G7's denizens that were bothered so, this 21st century continues to delight. No doubt the downloder can be trivially varied to continue eluding, most of the time it is freshly-delivered, most AVs relying on hash signatures (which is most of them) and the thing will be re-used with those slight variations, the covering e-mail re-written to suit the local airlines, many times. And the smartphone equivalents, I suppose.

So, what other holiday specials are being served up to the unsuspecting public this festive season?

Link to comment
Share on other sites

Any progress on this yet please?

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5441330155zc...5fcc0f5556337cz

No source IP address found, cannot proceed.

[Moved from pinned "IPv6 Support" topic as it appears to have nothing to do with IPv6]

Edited by Farelf
Link to comment
Share on other sites

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5441330155zc...5fcc0f5556337cz

No source IP address found, cannot proceed.

That's not IPv6 causing a problem keef - it's just a badly manged header (full of very inexpert forgery) which has probably never transited out of uk.tiscali.com. Since that is evidently your network, there may be better ways to report it (internally) than through SpamCop.

Here's what it would look like if patched up enough to parse, and without mailhosting being set up:

http://www.spamcop.net/sc?id=z5441363934zb...6079b9e2b4009ez

Presumably the attachment is some sort of trojan dropper. As posted elsewhere, 'tis the season for those. Unless I've misinterpreted something (please say if so), these two posts will be split out of this topic and moved to a more appropriate one in due course.

Link to comment
Share on other sites

The parser sticks to the "standards", spammers can do what they please - or into whatever they blunder. I would imagine spammers (whether intentionally or not) could lead SC on a merry chase indeed, if it chose to follow and compensate for all the infelicities in their forged and unpredictably mangled headers.

I have little doubt that some naughty reporters do "fix" spam so they can report it. That is contrary to the cardinal rule - spam must not be altered to "help" the parser.** It may be easy enough for a human to see the problem but what else they might do in fixing it is unknowable. Making material changes to spam can lead to suspension of the reporter's account (or fining if a paying reporter) because the "evidence" is then altered, it can then be challenged, there could then be further repercussions. There is nothing more vengeful than a crook - or a spammer - "wrongfully accused". Except maybe a woman scorned. And the righteous aren't too pleased about it either.

SpamCop has always sought the willing co-operation of the mail administrators in stopping spam, that's why the evidence is reported to them, in unusually complete form, to assist that process. That requires integrity and trustfulness to work at all. Not sure what works with women, but I digress.

There is more than enough spam left to report, that the parser does handle successfully (I would say). The mangled type seems to fade away pretty quickly - presumably the networks it transits get around to dealing with it/the senders - or the spammers sending it find out something is broken and fix it.

** See SpamCop Administrator's recent post re-enforcing this - http://forum.spamcop.net/forums/index.php?...ost&p=83684

Edited by Farelf
Link to comment
Share on other sites

presumably the networks it transits get around to dealing with it/the senders - or the spammers sending it find out something is broken and fix it.

Still getting these; are they all non-IP6 then? :-

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5445229756z7...35ac714e171e11z

No source IP address found, cannot proceed.

Link to comment
Share on other sites

Still getting these; are they all non-IP6 then? :-

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5445229756z7...35ac714e171e11z

No source IP address found, cannot proceed.

No, the parse of that one chokes on "Unable to process header. IPv6 addresses are not supported." You can't do a blessed thing with it except maybe send a manual report if you've a mind to.

It appears to enter your network (my emphasis):

Received: from exchange2010.octech.edu ([199.4.164.15]:60659)

by www.cbcadmin.com with esmtp (Exim 4.69 #1 (EximConfig 2.5))

id 1Tm8L5-0000a6-GB

for <x>; Fri, 21 Dec 2012 19:33:06 +0000

Pasting the server name exchange2010.octech.edu only into the SC reporting webform:

http://members.spamcop.net/sc?track=exchange2010.octech.edu (have to be logged in to your reporting account) shows:

SpamCop v 4.6.2.001 © 1992-2012 Cisco Systems, Inc. All rights reserved.

Parsing input: exchange2010.octech.edu

No recent reports, no history available

Routing details for 199.4.164.15

[refresh/show] Cached whois for 199.4.164.15 : foleyg[at]org.tec.sc.us

Using last resort contacts foleyg[at]org.tec.sc.us

If you wanted to (and from an account you don't mind if it should end up with the spammers), you could forward the spam to foleyg and politely request investigation and elimination of the spam source.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...