flagginator Posted December 17, 2004 Posted December 17, 2004 I've been getting several similar spams lately. They all contain a virus payload, and they all contain the same "Merry Christmas..." message. The email headers are mucked up: >>>> <snip>dkfalOPjfgapajIL:JIo382739043<snip> <<<< What's up with this? Thanks.
Wazoo Posted December 17, 2004 Posted December 17, 2004 Tracking URL? You say "headers" but only include some sort of snippet of code, and from what's offered as a sample, there's no way it could have traversed any e-mail system ... you're going to have to sort out something first to at least get the data used to actually "send" that e-mail. That it's a virus-laden thing has its own problems and issues.
flagginator Posted December 17, 2004 Author Posted December 17, 2004 I'm on it. In the meantime I figured out those headers are generated by Norton Anti-Virus when it deletes the virus. I'll have to turn off Delete so I can view an original header. And, to clarify, each message is different, but always signed "Pamela M." within the body; The subject line is always "Merry Christmas!" All include the same little pac-man humping animated .gif in the body; The message between the * and the * changes with each one. All are addressed to a different email address within the domain. Here's the munged body of one of the five hundred I've received so far today: >>>> * Happy.... ....Hollydays! * Pamela M. ___________________________________________________________________ http://[mydomainname].com/link.postcard.christmas.index.jpg7422 - Picture Size: 11 KB, Mail: +OK <<<<
Wazoo Posted December 17, 2004 Posted December 17, 2004 I'm on it. In the meantime I figured out those headers are generated by Norton Anti-Virus when it deletes the virus. I'll have to turn off Delete so I can view an original header. Gotta love it when the tools get in the way <g> I just came from a highly-recommended web-site (from a brother, so one would have to believe the recommendation <g>) ... I've got no idea as to the "worthiness" of the site .... three frames, all 404 ... icons blank, three attempts at firing up some ActiveX crap ... I've no doubt that the problem is my security settings, but am just a bit blown away after spending several hours a couple of days ago cleaning his system up from all the "interesting garbage" collected on that system ... And, to clarify, each message is different, but always signed "Pamela M." within the body; The subject line is always "Merry Christmas!" All include the same little pac-man humping animated .gif in the body; The message between the * and the * changes with each one. All are addressed to a different email address within the domain. Yeah, but I know that you know that what's important is the source of all these fine items <g>
flagginator Posted December 17, 2004 Author Posted December 17, 2004 Merlyn: Cool. Thanks. Can you please munge or delete that decoding job for me so it's not harvested? Thanks. I already munged the code.
flagginator Posted December 17, 2004 Author Posted December 17, 2004 Hey, which decoder did you use? I used to use robertgraham.com (he was the CEO of Network ICE) but his site is down. PS: Many thanks for your help. I ended just blocking that Polish IP on the SMTP Virtual Server on Exchange.
Merlyn Posted December 17, 2004 Posted December 17, 2004 Try this, it's a good one: http://www.motobit.com/util/base64-decoder-encoder.asp Have fun! Glad I was finally able to help someone...
Wazoo Posted December 18, 2004 Posted December 18, 2004 And for those that check in later .. here's what I think happened here ... flagginator posted a block of stuff. Merlyn grabbed that block and ran it through a Base-64 decoder, posted the resulting text output flagginator asked that Merlyn's post be edited or deleted ... also editing the previous block of stuff in the first post Merlyn apparently deleted the de-coded posting Notes then compared on what tool did the de-coding.
Jeff G. Posted December 19, 2004 Posted December 19, 2004 The ones I've gotten were sent by the mm.html]w32.erkez.d[at]mm worm.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.