[nsp-sec] Infected systems within guaratuba.pr.gov.br
sthaug at nethelp.no
sthaug at nethelp.no
Sun Nov 22 09:49:17 EST 2009
Anybody here with contacts within guaratuba.pr.gov.br? I received the
email below, which is a pretty standard "please send us your username
and password, or you'll be locked out from your webmail account" in
badly translated Norwegian. The email has been sent through the
fwpmg.guaratuba.pr.gov.br (200.96.32.82) firewall,
8167 | 200.96.32.82 | TELESC - Telecomunicacoes de Santa Catarina SA
abuse at mail2world.com has been notified separately about the
Reply-to: username/password dropbox address.
Steinar Haug, AS 2116
----------------------------------------------------------------------
Microsoft Mail Internet Headers Version 2.0
Received: from nokrs01exh01.ventelo.no ([10.21.35.40]) by nokrs01exh01.ventelo.no with Microsoft SMTPSVC(6.0.3790.3959); Sun, 22 Nov 2009 14:19:38 +0100
Received: from mail.ventelo.no ([193.71.102.16]) by nokrs01exh01.ventelo.no with Microsoft SMTPSVC(6.0.3790.3959); Sun, 22 Nov 2009 14:19:38 +0100
X-Spam-Flag: NO
X-Spam-Status: NO, hits=0 required=7 tests=CTENGINE_UNKNOWN
X-CT-RefID: str=0001.0A3C0009.4B093AA3.0030:SCFSTAT6604668,ss=1,fgs=0
Received: from securemail1.webpartner.dk (securemail1.webpartner.dk [195.184.96.50])
by mail.ventelo.no ([193.71.102.16]:25) (F-Secure Anti-Virus for Internet Mail 6.60.34 Release)
with SMTP; Sun, 22 Nov 2009 13:20:47 -0000
(envelope-from <cultura at guaratuba.pr.gov.br>)
Received: from localhost (localhost [127.0.0.1]) by securemail1.webpartner.dk (Postfix) with ESMTP id 3C403489894
for <sthaug at catch.no>; Sun, 22 Nov 2009 14:20:37 +0100 (CET)
Received: from securemail1.webpartner.dk ([127.0.0.1])
by localhost (securemail1.webpartner.dk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 47590-03 for <sthaug at catch.no>;
Sun, 22 Nov 2009 14:20:35 +0100 (CET)
X-Greylist: from auto-whitelisted by SQLgrey-
Received-SPF: none (fwpmg.guaratuba.pr.gov.br: cultura at guaratuba.pr.gov.br does not designate permitted sender hosts)
Received: from mail.guaratuba.pr.gov.br (fwpmg.guaratuba.pr.gov.br [200.96.32.82]) by securemail1.webpartner.dk (Postfix) with SMTP id 9208248986D
for <sthaug at catch.no>; Sun, 22 Nov 2009 14:20:33 +0100 (CET)
Received: (qmail 24119 invoked by uid 1008); 22 Nov 2009 11:13:32 -0200
Received: from 192.168.1.5 by mail (envelope-from <cultura at guaratuba.pr.gov.br>, uid 1002) with qmail-scanner-1.25
(clamdscan: 0.95.3/10053. spamassassin: 3.1.1. Clear:RC:1(192.168.1.5):. Processed in 0.052361 secs); 22 Nov 2009 13:13:32 -0000
Received: from unknown (HELO WebMailPMG) (192.168.1.5) by mail.guaratuba.pr.gov.br with SMTP; 22 Nov 2009 11:13:32 -0200
Received: from client 192.168.1.3 for WebMail (webmail client); Sun, 22 Nov 2009 11:13:32 -0000
Date: Sun, 22 Nov 2009 11:13:32 -0000
From: CUSTOMER CARE SERVICE <cultura at guaratuba.pr.gov.br>
Reply-to: CUSTOMER CARE SERVICE <custcare09 at mail2world.com>
Subject: Webmail customercare Support
X-Priority: 3
X-Mailer: WebMail-PMG 3.0
X-MSMail-Priority: Medium
Importance: Medium
Content-Type: text/html; charset="iso-8859-1";
MIME-Version: 1.0
X-Qmail-Scanner-Message-ID: <125889561268624111 at mail>
Message-Id: <20091122132034.9208248986D at securemail1.webpartner.dk>
To: undisclosed-recipients:;
X-Virus-Scanned: amavisd-new at webpartner.dk
X-Spam-Level: ***
Content-Transfer-Encoding: quoted-printable
Return-Path: cultura at guaratuba.pr.gov.br
X-OriginalArrivalTime: 22 Nov 2009 13:19:38.0739 (UTC) FILETIME=[71769430:01CA6B76]
Kjære e-postkonto Eier,
Denne meldingen er fra webposttjeneste konto Webmaster messaging center til alle e-postkonto eiere. Vi er nå oppgraderer vår database og e-postkonto center. Vi sletter alle ubrukt openwebmail konto for å skape mer plass for nye kontoer.
For å hindre at Webmail-kontoen din fra avsluttende må du oppdatere den nedenfor, slik at vi vet at det er en til stede som brukes konto.
Å fullføre Webmail-konto, må du svare på denne e-posten umiddelbart, og skriv inn WEBMAIL LOGIN INFORMASJON
Navn: ()
Brukernavn: ()
passord: ()
Bekreft Passord: ()
MERK: Hvis du ikke gjør dette vil umiddelbart gjøre din Webmail e-postadressen deaktiveres fra vår database.
Advarsel! Konto eier som nekter å oppdatere kontoen sin innen syv dager fra du mottar denne advarselen vil miste sin webpostkontoen permanent.
Takk for at du bruker webmail Gateway.
Advarsel Code: VX2G99AAJ
Takk,
Webmail customercare Support
________________________________________________
Esse e-mail foi enviado por WebMail-PMG 3.0
More information about the nsp-security
mailing list