New variation of SSL Spam

Published: 2009-10-14. Last Updated: 2009-10-14 18:25:16 UTC
by David Goldsmith (Version: 1)
5 comment(s)

We've received numerous emails about this already today.  This is an update to a diary we did earlier this week.

The body of the spam today is:

  Dear user of the <some company> mailing service!

  We are informing you that because of the security upgrade of the mailing
  service your mailbox (<user>@<some company>) settings were changed. In
  order to apply the new set of settings click on the following link:

The email contains a link with a file to download.  Some of the files we have seen are:

  settings-file.exe   MD5:  0244586f873a83d89caa54db00853205
  settings-file2.exe  MD5:  e6436811c99289846b0532812ac49986

The files are being detected by some anti-virus software programs at this time as Zbot variants.

Thanks Jon, Frank, iTinker, Nick and others for your reports on this.
Keywords:
5 comment(s)

Comments

We just received a large influx of these to our whole enterprise. We use Postini as spam filter and they caught them all.

----------------------------------
Received: from source ([213.21.97.141]) by eu1sys200amx117.postini.com ([207.126.147.14]) with SMTP;
Thu, 15 Oct 2009 05:01:31 GMT
Received: from 213.21.97.141 by mail-red.research.att.com; Thu, 15 Oct 2009 07:01:25 +0100
Message-ID: <000d01ca4d54$8bc16760$6400a8c0@lizapf5>
From: "support@target-domain.com" <support@target-domain.com>
To: <user@target-domain.com>
Subject: A new settings file for the user@target-domain.com mailbox has just been released
Date: Thu, 15 Oct 2009 07:01:25 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA4D54.8BC16760"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.00533/92.62311 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 3 (1.0000:1.0000) s cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <support@target-domain.com> [233/12]
X-pstn-disposition: quarantine

Date: Thu, 15 Oct 2009 07:01:25 +0100
From: "support@target-domain.com" <support@target-domain.com>
To: <user@target-domain.com>
Subject: A new settings file for the user@target-domain.com mailbox has just been released

Dear user of the target-domain.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (user@target-domain.com) settings were changed. In order to apply the new set of settings click on the following link:
http://target-domain.com/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user
Best regards, target-domain.com Technical Support.

----------------------------------

One of our users came round very confused although when i explained that if we had emailed him (internal mail) it wouldn't go through the spam filter at all.

MartynJSimpson

Oct 15th 2009
1 decade ago

I'm seeing a lot of these as well on my mail servers. Interestingly, not all of m domains are affected: only the ones in .com. I have domains in .ch and these are not affected. Also, sub-domains aren't targeted either.

Stephane

Oct 15th 2009
1 decade ago

The interesting thing is that the obfuscated URL in the HTML boundary partof the messages I have seen is http://target-domain.com.polikko.eu/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user

Note the addition of the .polikko.eu to the domain name !

Karl

Oct 15th 2009
1 decade ago

As posted by Karl:
"Note the addition of the .polikko.eu to the domain name !"

Actually they use a sub-domain of "polikko.eu". In the Text they only quote that sub-domain.
So it has nothing to do with "target-domain .com"

PS:
I am the holder of the "target-domain .com" domain, and I can assure that this junk does originate elsewhere.

This really is a pain in the butt :(

Harry

Oct 15th 2009
1 decade ago

Well, I, for one, have temporary filtered all mail containing the /owa/service_directory/settings.php?email= string as it seems to be the only common trail in all these mails. It's a temporary solution at best, since this string is easy to forge, but it's the only way I've found to really filter these out. Another option I'm persuing is to reject all mail coming in from a local address using the same rules as for mail relay. Unfortunately, my mail server doesn't allow this just yet.

Stephane

Oct 15th 2009
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives