[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40CDB916.80405@InfiniteConsulting.net>
Date: Mon, 14 Jun 2004 09:41:26 -0500
From: ICI Security Team <Security@...initeConsulting.net>
To: bugtraq@...urityfocus.com, NTBugTraq@...urityfocus.com
Subject: Re: Eudora SPAM Issues.. (Followup)
Thanks to everyone who has responded. (And for those of you who accept messages on accounts that you also put up out-of-office messages, SHAME ON YOU - I got at least 50 of these back). I apologize that I have not responded to most of you that have replied, there were just too many.
Let me clear up a few things about my original post that either I forgot to include or that I didnt know at the time.
1 - All the "bad" features of Eudora are turned off: No HTML Content is shown (which actually doesnt work completely), executables are turned off, and we are NOT using the Microsoft Viewer. These users are in paid mode, and have junk filtering turned on. We see the mail somehow executed before or during the Junk filtering process.
2 - These machines are as clean as I can tell -- Up-to-date Antivirus and Spyware definitions (Including scans using HijackThis and CWShredder, Spybot Search & Destroy, Ad-Aware) and a look at everything that is starting up. These scans were performed both in and out of safe-mode.
3 - I have analyzed the messages that are coming in (in another client - thunderbird), and I cant find anything that would be executing in the basic SPAM html code that is in this message. This does not happen with every spam that comes in. It has not happened much in the last 2-3 days.
4 - I would say this happens for about 5 of every 100 spam messages, so it is definitely NOT every spam.
5 - The outgoing messages ARE the same as the incoming messages -- What I meant to say before was that the recipients are not the same. The content IS the same.
This isnt happening as much as it was before (I am unsure why), but it does still happen. I am going to try to get a hold of some of these messages that cause this behavior. It is difficult, however, because of the large volume of spam that comes in, and only a small percentage cause this behavior.
I will also be in contact with the Eudora folks if this continues.
Be assured -- these machines are no longer sending out ANY mail, only receiving to see what gets kicked into the outbox.
Thanks again,
Brian Luerssen
Infinite Consulting
ICI Security Team wrote:
> I have a client who is seeing large amounts of spam originate inside
> their organization. I have traced the spam to Windows machines running
> Eudora 6.1.1 (latest) in paid mode. Apparently, spam messages come in,
> something is executed in these spam messages, and copies/duplicates
> (with forged names/headers) immediately drop into the Eudora OutBox
> (Messages waiting to be sent) to many users all located in the Eudora
> Addressbook of that particular computer.
>
> We have scanned (in safe mode and regular) with Norton AV Corporate
> fully up to date, along with numerous spyware, malware, adware scanners
> (Spybot Search & Destroy 1.3, CWShredder, Ad-Aware) all with up to date
> definitions, and have come up with nothing.
>
> It seems as though some sort of arbitrary execution of code within
> Eudora emails is automatically executed before the Incoming SPAM is
> classified as such and moved into the JUNK folder.
>
> Headers of the outgoing spam contain the following lines (other than
> forged from, reply-to, to, and subject):
>
> X-Mailer: Zckvdgt 0.7
> Content-Type: text/html;
> Content-Transfer-Encoding: 7Bit
>
> The outgoing spam is not always the same, but is (I believe) based on
> the spam that comes in. We have seen Prescription Drugs, Pornographic
> Sites, and other common SPAMs.
>
> Is anyone else seeing this or can anyone provide any information? Any
> advise would be helpful. In the time being, I am going to move those
> users to Thunderbird in efforts to stop originating spam.
>
> Thanks
>
> Brian T Luerssen
> Infinite Consulting Inc.
>
>
Powered by blists - more mailing lists