Incidents
RE: Strange mail with number in subject line and body Jun 07 2006 11:15AM
Shaffer, Bruce (security stsgi com)
We've seen enough that I sent out a warning to all users in my domain to
delete. It seems that the source mail server is being spoofed as well
as the source address. My analysis shows each e-mail having a separate
source address coming from all over the US and Amsterdam, I didn't see
any other countries represented. Tracing several messages from the time
they come into the perimeter until they are ultimately delivered shows
no attachments or links, just the numbers. I don't have the facilities
to capture the messages intact as they come in to do a full
reconstruction before they get to the mail defenses so, I would bow to a
full byte by byte analysis to show that the messages are indeed "clean".
The only reasons I can think of for these e-mails are either new malware
is being field tested, (zombies?), someone's probes have gone awry or
someone is building a list of valid e-mails. If you shotgun e-mails at
a domain and remove any e-mails addresses that return an NDR and you are
left with a list of addresses that have some confidence of being real.

Can someone check in who has been able to do a complete analysis of the
mail?
-B-

-----Original Message-----
From: paul.johnson8 (at) gmail (dot) com [email concealed] [mailto:paul.johnson8 (at) gmail (dot) com [email concealed]]
Sent: Tuesday, June 06, 2006 1:44 AM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: Strange mail with number in subject line and body

We have received a few strange emails (from Korea and France) which
lists a three character number in the subject line and a different
three digit character number in the body, no attachments.

The sender (from field) has been spoofed and displays the receivers
name (to field).

I did a search on google but could not find any further information.
Has any seen or know where/why these emails are being received? Maybe
a sdbot infection on zombie PC?

------------------------------------------------------------------------

------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las
Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of

vendor pitches, the Briefings are designed to be pragmatic regardless of
your
security environment. Featuring 36 hands-on training courses and 10
conference
tracks, networking opportunities with over 2,500 delegates from 40+
nations.

http://www.blackhat.com
------------------------------------------------------------------------

------

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus