[nsp-sec] Peter may have chased the "mailbox settings" folks off Google
Krista Hickey
Krista.Hickey at cogeco.com
Thu May 13 10:17:26 EDT 2010
Yeah they're still coming in here albeit things have changed and it looks like today's sample is either going for 'if we repeat it enough they will click' methodology or someone's got some errors in their malware package - how it reads and is formatted below is exactly how it came in.
Krista
7992
Microsoft Mail Internet Headers Version 2.0
Received: from BUPWXMT1.cogeco.com ([10.1.1.241]) by BUPWXDB1.cogeco.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 13 May 2010 08:15:09 -0400
Received: from bupnmail1.cogeco.com ([10.1.1.246]) by BUPWXMT1.cogeco.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 13 May 2010 08:15:08 -0400
Received: from bupnmail1.cogeco.com (localhost.localdomain [127.0.0.1])
by localhost (Email Security Appliance) with SMTP id E27AF564455_BEBED4BB;
Thu, 13 May 2010 12:15:07 +0000 (GMT)
Received: from KOJEEIIF (unknown [41.252.30.2])
by bupnmail1.cogeco.com (Sophos Email Appliance) with ESMTP id 6CFEA564436_BEBED3EF;
Thu, 13 May 2010 12:14:54 +0000 (GMT)
Message-ID: <000d01caf295$d56deb40$6400a8c0 at manaclesw0>
From: "cogeco.com support" <erryl.godwin at cogeco.com>
To: <erryl.godwin at cogeco.com>
Subject: setting for your mailbox erryl.godwin at cogeco.com are changed
Date: Thu, 13 May 2010 14:14:27 +0200
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam: Not detected
X-Sophos-ESA: [bupnmail1.cogeco.com] 3.5.0.3, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.5.13.120315
Return-Path: manaclesw0 at research-instruments.com
X-OriginalArrivalTime: 13 May 2010 12:15:08.0391 (UTC) FILETIME=[ED9B5770:01CAF295]
-----Original Message-----
From: cogeco.com support [mailto:erryl.godwin at cogeco.com]
Sent: May-13-10 8:14 AM
To: Erryl Godwin
Subject: setting for your mailbox erryl.godwin at cogeco.com are changed
SMTP and POP3 servers for erryl.godwin at cogeco.com mailbox are changed. Please carefully read the attached instructions before updating settings.
http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip
http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip
http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip
http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip
http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip http://sites.google.com/site/doorwaysss/open.zip
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of CERT-UT - Peter
Sent: May-13-10 7:40 AM
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Peter may have chased the "mailbox settings" folks off Google
----------- nsp-security Confidential --------
More information about the nsp-security
mailing list