lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40CA0AFC.8000304@InfiniteConsulting.net>
Date: Fri, 11 Jun 2004 14:41:48 -0500
From: ICI Security Team <Security@...initeConsulting.net>
To: bugtraq@...urityfocus.com, NTBugTraq@...urityfocus.com
Subject: Eudora SPAM Issues..


I have a client who is seeing large amounts of spam originate inside their organization. I have traced the spam to Windows machines running Eudora 6.1.1 (latest) in paid mode. Apparently, spam messages come in, something is executed in these spam messages, and copies/duplicates (with forged names/headers) immediately drop into the Eudora OutBox (Messages waiting to be sent) to many users all located in the Eudora Addressbook of that particular computer.

We have scanned (in safe mode and regular) with Norton AV Corporate fully up to date, along with numerous spyware, malware, adware scanners (Spybot Search & Destroy 1.3, CWShredder, Ad-Aware) all with up to date definitions, and have come up with nothing.

It seems as though some sort of arbitrary execution of code within Eudora emails is automatically executed before the Incoming SPAM is classified as such and moved into the JUNK folder.

Headers of the outgoing spam contain the following lines (other than forged from, reply-to, to, and subject):

  X-Mailer: Zckvdgt 0.7
  Content-Type: text/html;
  Content-Transfer-Encoding: 7Bit

The outgoing spam is not always the same, but is (I believe) based on the spam that comes in. We have seen Prescription Drugs, Pornographic Sites, and other common SPAMs.

Is anyone else seeing this or can anyone provide any information? Any advise would be helpful. In the time being, I am going to move those users to Thunderbird in efforts to stop originating spam.

Thanks

Brian T Luerssen
Infinite Consulting Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ