Spam (Virus?) Examples

Spam
2005-02-09
2013-04-15
  • James E Lang

    James E Lang - 2005-02-09

    Here are five examples of spam I've received in recent weeks. They all are 77-78K and I suspect that the attachments are all viruses. They all slipped through when they arrived. I'm uncertain how POPFile would treat them now. I may test it. In all five instances the subject and the text of the messages appeared to be a legitimate warning of a problem to be addressed. I was wary and in no case did I open the attached file.

    Example 1:
    From: user_info@yahoo.com
    To: blair@ktb.net
    Date: Sun, 26 Dec 2004 12:44:11 GMT
    Subject: Your mail password
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <23f55caf.bded00d@yahoo.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="===c8909daabfff4b"
    Content-Transfer-Encoding: 7bit
    X-IMAPbase: 1088385920 54553
    Status: O
    X-UID: 54553
    Content-Length: 77462
    X-Keywords:                                                                                                   

    This is a multi-part message in MIME format.

    --===c8909daabfff4b

    Protected message is attached!

    ++++++ User-Service: http://www.yahoo.com
    ++++++ MailTo: postmaster@yahoo.com
    --===c8909daabfff4b
    Content-Type: application/octet-stream; name=yahoo6554.zip
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="yahoo6554.zip"

    == NOTE: blair is not my account and I don't have a yahoo account.

    Example 2:
    From: Auto-Mailer@noralrealty.com
    To: jeff@ktb.net
    Date: Sat, 25 Dec 2004 17:28:21 GMT
    Subject: mail delivery system
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <4cfcef02feb.eec6c@noralrealty.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
         boundary="====befe9baeb3917c14.2bac9"
    Content-Transfer-Encoding: 7bit
    X-IMAPbase: 1088385920 54489
    Status: O
    X-UID: 54488
    Content-Length: 77444
    X-Keywords:                                                                                                   

    This is a multi-part message in MIME format.

    --====befe9baeb3917c14.2bac9

    This mail was generated automatically.
    More info about --NORALREALTY-- under: http://www.noralrealty.com

    -------
    Occured_Errors:

    167.166.35.117_failed_after_I_sent_the_message.
    # 254: Remote_host_said:_delivery_error
    # 375: Giving_up_on_167.166.35.117.

    End
    -------

    The full mail is attached.

    Auto_Mail.System: [noralrealty]

    *-*-* Attachment: No Virus found
    *-*-* KTB- Anti_Virus Service
    *-*-* http://www.ktb.net
    --====befe9baeb3917c14.2bac9
    Content-Type: application/octet-stream; name=re_mail.scr
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="re_mail.scr"

    == NOTE: jeff is not my account though ktb is indeed my ISP.

    Example 3:
    From: Error_Mail@honeywell.com
    To: dpo@ktb.net
    Date: Tue, 28 Dec 2004 05:41:12 UTC
    Subject: Mail_Delivery_failure <7047>
    Importance: Normal
    X-Mailer: E-SMTP V1.81
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <3842.8ef60cefcd1f09@ktb.net>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
         boundary="=====ac1993aab6e.e42aa9"
    Content-Transfer-Encoding: 7bit
    X-IMAPbase: 1088385920 54805
    Status: O
    X-UID: 54805
    Content-Length: 77544
    X-Keywords:                                                                                                   

    This is a multi-part message in MIME format.

    --=====ac1993aab6e.e42aa9

    This mail was generated automatically.
    More info about --HONEYWELL-- under: http://www.honeywell.com

    -------
    Occured_Errors:

    224.88.27.255_failed_after_I_sent_the_message.
    # 278: Giving_up_on_224.88.27.255.
    # 556: mailbox_unavailable
    # 461: This_account_has_been_disabled_[#491].
    # 313: MAILBOX NOT FOUND
    # 540: Remote_host_said:_delivery_error

    End
    -------

    The original mail is attached.

    Auto_Mail.System: [honeywell]

    *-*-* Mail_Scanner: No Virus
    *-*-* KTB- Anti_Virus Service
    *-*-* http://www.ktb.net
    --=====ac1993aab6e.e42aa9
    Content-Type: application/octet-stream; name=re_mail_3430.xls.com
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="re_mail_3430.xls.com"

    == NOTE: dpo is not my account.

    Example 4:
    From: info@rochester.rr.com
    To: Mail-Box@ktb.net
    Date: Thu, 16 Dec 2004 01:40:09 UTC
    Subject: FwD: illegal signs in your mail
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <f691d36ef.e923108e@rochester.rr.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="=====8e052dbbc7f62798e4.470ea"
    Content-Transfer-Encoding: 7bit
    Status: O
    X-UID: 52219
    Content-Length: 77594
    X-Keywords:                                                                                                   

    This is a multi-part message in MIME format.

    --=====8e052dbbc7f62798e4.470ea

    This mail was generated automatically.
    More info about --ROCHESTER-- under: http://www.rochester.rr.com

    -------
    Occured_Errors:

    166.153.143.45_failed_after_I_sent_the_message.
    # 548: Remote_host_said:_Requested_action_not_taken
    # 482: MAILBOX NOT FOUND
    # 295: This_account_has_been_discontinued_[#383].
    # 403: Giving_up_on_166.153.143.45.
    # 395: mailbox_unavailable

    End
    -------

    The original mail is attached.

    Auto_Mail.System: [rochester]

    *-*-* Anti_Virus: No Virus was found
    *-*-* KTB- Anti_Virus Service
    *-*-* http://www.ktb.net
    --=====8e052dbbc7f62798e4.470ea
    Content-Type: application/octet-stream; name=rochester_7710.xls.scr
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="rochester_7710.xls.scr"

    == NOTE: Mail-Box is also not my account.

    Example 5:
    From: user_info@adelphia.net
    To: dk@ktb.net
    Date: Mon, 27 Dec 2004 08:10:43 UTC
    Subject: Your mail password <KEY:8043>
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <5e2c.b495534bafcc3c@adelphia.net>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="=====2e1e36e27dba.30dbd8"
    Content-Transfer-Encoding: 7bit
    X-IMAPbase: 1088385920 55179
    Status: O
    X-UID: 55177
    Content-Length: 77597
    X-Keywords:                                                                                                   

    This is a multi-part message in MIME format.

    --=====2e1e36e27dba.30dbd8

    Your password was changed successfully!

    ++++++ User-Service: http://www.adelphia.net
    ++++++ MailTo: postmaster@adelphia.net

    *-*-* Attachment: No Virus found
    *-*-* KTB- Anti_Virus Service
    *-*-* http://www.ktb.net
    --=====2e1e36e27dba.30dbd8
    Content-Type: application/octet-stream; name=adelphia.8050.zip
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="adelphia.8050.zip"

    == NOTE: You guessed it, dk is not my account either.

    In reality the purported sender of each of these messages is not anyone from whom I would expect to receive any kind of a bounce with the possible exception of the first one but then the subject dealt with my mail password which would be totally unknown and irrelevant to yahoo.

    --
    Jim

     
    • Geoff

      Geoff - 2005-02-11

      I chain ClamAV (using ClamMail) in front of POPFile to try and catch viruses.  You could try that.

       
      • James E Lang

        James E Lang - 2005-02-12

        Thank you Geoff. I believe that would work if I were using POPFile's POP proxy mode. But since I'm using its IMAP service mode instead I don't think it will.

        I was not so much asking for assistance with this as just submitting some examples of a spammers' trick that they try to use to get past POPFile and then entice the recipient into activating their viral decadence.

        --
        Jim

         

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks