| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4487C4D3.6060305@telus.net> Date: Thu Jun 8 07:42:12 2006 From: waydaws at telus.net (wayne dawson) Subject: Strange Emails -- What are they? Simon Smith wrote: > Hi List, > I've had roughly one dozen people forward emails to me from > different companies asking me to figure out what these emails are. The > emails appear to be emails from the from the recipient. For example, > John Doe appears to be sending an email to himself, but he's not. In > reality when checking the mail server logs I find that the mails > originate from the Internet. Other emails like the one below contain a > different sender than the recipient but the contents of the emails are > the same and they are still from the same domain. > > > -------------------- BEGIN EMAIL ---------------------- > > Received: from 83.145.66.70 ([172.18.12.134]) > by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built > Sep > 9 2005)) with ESMTP id <0J0E00AVSNH9ETG0@...043.mailsrvcs.net> for > xxxxxxx@...izon.net; Mon, 05 Jun 2006 15:55:58 -0500 (CDT) > Received: from raptor.net (83.145.66.70) > by sv12pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW) > with SMTP id <5-25035-180-25035-2228-2-1149540957> for > vms043pub.verizon.net; > Mon, 05 Jun 2006 15:55:58 -0500 > Date: Mon, 05 Jun 2006 22:52:40 +0100 > From: "Gil.novak" <xxxxxx@...izon.net> > Subject: 586876 > X-Originating-IP: [83.145.66.70] > To: "xxx.xxxx" <xxxxxx@...izon.net> > Message-id: <ayoznyepbslfqdlqblr@...izon.net> > MIME-version: 1.0 > Content-type: text/html; charset=us-ascii > Content-transfer-encoding: 7bit > > > > -----Original Message----- > From: xxx.xxxx [mailto:xxx.xxxx@...izon.net] > Sent: Monday, June 05, 2006 5:53 PM > To: xxx.xxxx > Subject: 586876 > > > 969 > > > > -------------------- END EMAIL --------------------- > > Is this just another instance of spammers fishing for legit addresses? > If so, then why the hell are they sending email from invalid addresses? > I can dig into this a lot further if I need to, but I wanted to see if > anyone else had any ideas about it first. Thanks in advance!!! > > > -Simon > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > I think it's out now, but in case you haven't heard, jesse gough of security focus, said this was "a new Tooso/Beagle variant released a few days ago. It appears to be retrieving lists of email addresses and spamming them, and if the spam attempt does not result in an SMTP error, it will save the address to a "known-good" list and eventually upload that to a remote location. The numbers in the subject and body are randomly selected from a small hardcoded list (2 choices for the subject, 5 for the body). Nothing to indicate the significance of the specific numbers chosen, however."
Powered by blists - more mailing lists