[nsp-sec] Two variations on the mail settings stuff - one on a Google Docs site
Bill Owens
owens at nysernet.org
Thu May 13 12:57:22 EDT 2010
Two seemingly identical fraudulent emails. One - canadian pharmacy spam. The other - a Windows .exe file, presumably malware (which I will be happy to submit for analysis, if someone will suggest where to do so).
Example one:
>Return-path: <misprintinggf677 at roundtheworld.com>
>Received: from KDDVETEVMG (unknown [182.0.204.159])
> by adelie.nysernet.org (Postfix) with ESMTP id 06C46590050 for
> <bill-tapr at owensfamily.org>; Wed, 12 May 2010 16:28:09 -0400 (EDT)
>Date: Thu, 13 May 2010 03:28:00 +0700
>From: "owensfamily.org support" <bill-tapr at owensfamily.org>
>Subject: setting for your mailbox bill-tapr at owensfamily.org are changed
>To: <bill-tapr at owensfamily.org>
>Message-id: <000d01caf211$9dc21ab0$6400a8c0 at misprintinggf677>
>
>SMTP and POP3 servers for bill-tapr at owensfamily.org mailbox are changed. Please carefully read the attached instructions before updating settings.
>
>http://www.futurefunk.co.uk/upload/21.html
That's a redirect to our friends from yesterday:
<meta http-equiv="refresh" content="0;url=http://saidmeek.com" />
and saidmeek.com is still the pharmacy page.
Example two:
>Return-path: <willfulb9 at rihard.com>
>Received: from PCOGBDN (unknown [115.131.195.10])
> by adelie.nysernet.org (Postfix) with ESMTP id 8A670590050 for
> <bill-tapr at owensfamily.org>; Thu, 13 May 2010 12:24:23 -0400 (EDT)
>Date: Fri, 14 May 2010 01:54:17 +0930
>From: "owensfamily.org support" <bill-tapr at owensfamily.org>
>Subject: setting for your mailbox bill-tapr at owensfamily.org are changed
>To: <bill-tapr at owensfamily.org>
>Message-id: <000d01caf2b8$bc233a50$6400a8c0 at willfulb9>
>
>SMTP and POP3 servers for bill-tapr at owensfamily.org mailbox are changed. Please carefully read the attached instructions before updating settings.
>
>https://docs.google.com/leaf?id=0BxwkuMlR0FFdMzY1NDE1ZDYtZDU4NS00YTYzLTlmM2EtMjQ1NzM3OGQwOWRm
This one points to a Google Docs page, containing a downloadable Windows executable file, setup.exe, 161792 bytes.
Bill.
More information about the nsp-security
mailing list