lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu Jun  8 07:42:12 2006
From: waydaws at telus.net (wayne dawson)
Subject: Strange Emails -- What are they?

Simon Smith wrote:
> Hi List,
>     I've had roughly one dozen people forward emails to me from
> different companies asking me to figure out what these emails are. The
> emails appear to be emails from the from the recipient. For example,
> John Doe appears to be sending an email to himself, but he's not. In
> reality when checking the mail server logs I find that the mails
> originate from the Internet.  Other emails like the one below contain a
> different sender than the recipient but the contents of the emails are
> the same and they are still from the same domain.
>
>
> -------------------- BEGIN EMAIL ----------------------
>
> Received: from 83.145.66.70 ([172.18.12.134])
>  by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built
> Sep
>  9 2005)) with ESMTP id <0J0E00AVSNH9ETG0@...043.mailsrvcs.net> for
>  xxxxxxx@...izon.net; Mon, 05 Jun 2006 15:55:58 -0500 (CDT)
> Received: from raptor.net (83.145.66.70)
>  by sv12pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW)
>  with  SMTP id <5-25035-180-25035-2228-2-1149540957> for
> vms043pub.verizon.net;
>  Mon, 05 Jun 2006 15:55:58 -0500
> Date: Mon, 05 Jun 2006 22:52:40 +0100
> From: "Gil.novak" <xxxxxx@...izon.net>
> Subject: 586876
> X-Originating-IP: [83.145.66.70]
> To: "xxx.xxxx" <xxxxxx@...izon.net>
> Message-id: <ayoznyepbslfqdlqblr@...izon.net>
> MIME-version: 1.0
> Content-type: text/html; charset=us-ascii
> Content-transfer-encoding: 7bit
>
>
>
> -----Original Message-----
> From: xxx.xxxx [mailto:xxx.xxxx@...izon.net]
> Sent: Monday, June 05, 2006 5:53 PM
> To: xxx.xxxx
> Subject: 586876
>
>
> 969
>
>
>
> -------------------- END EMAIL ---------------------
>
> Is this just another instance of spammers fishing for legit addresses?
> If so, then why the hell are they sending email from invalid addresses?
> I can dig into this a lot further if I need to, but I wanted to see if
> anyone else had any ideas about it first.  Thanks in advance!!!
>
>
> -Simon
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   
I think it's out now, but in case you haven't heard, jesse gough of 
security focus, said this was "a new Tooso/Beagle variant released a few 
days ago. It appears to be retrieving lists of email addresses and 
spamming them, and if the spam attempt does not result in an SMTP error, 
it will save the address to a "known-good" list and eventually upload 
that to a remote location. The numbers in the subject and body are 
randomly selected from a small hardcoded list (2 choices for the 
subject, 5 for the body). Nothing to indicate the significance of the 
specific numbers chosen, however."

Powered by blists - more mailing lists