[nsp-sec] Two variations on the mail settings stuff - one on a Google Docs site
Peter Moody
pmoody at google.com
Thu May 13 13:09:52 EDT 2010
ugh. I mean, ack.
On Thu, May 13, 2010 at 9:57 AM, Bill Owens <owens at nysernet.org> wrote:
> ----------- nsp-security Confidential --------
>
> Two seemingly identical fraudulent emails. One - canadian pharmacy spam.
> The other - a Windows .exe file, presumably malware (which I will be happy
> to submit for analysis, if someone will suggest where to do so).
>
> Example one:
>
> >Return-path: <misprintinggf677 at roundtheworld.com>
> >Received: from KDDVETEVMG (unknown [182.0.204.159])
> > by adelie.nysernet.org (Postfix) with ESMTP id 06C46590050 for
> > <bill-tapr at owensfamily.org>; Wed, 12 May 2010 16:28:09 -0400 (EDT)
> >Date: Thu, 13 May 2010 03:28:00 +0700
> >From: "owensfamily.org support" <bill-tapr at owensfamily.org>
> >Subject: setting for your mailbox bill-tapr at owensfamily.org are changed
> >To: <bill-tapr at owensfamily.org>
> >Message-id: <000d01caf211$9dc21ab0$6400a8c0 at misprintinggf677>
> >
> >SMTP and POP3 servers for bill-tapr at owensfamily.org mailbox are changed.
> Please carefully read the attached instructions before updating settings.
> >
> >http://www.futurefunk.co.uk/upload/21.html
>
> That's a redirect to our friends from yesterday:
> <meta http-equiv="refresh" content="0;url=http://saidmeek.com" />
>
> and saidmeek.com is still the pharmacy page.
>
> Example two:
>
> >Return-path: <willfulb9 at rihard.com>
> >Received: from PCOGBDN (unknown [115.131.195.10])
> > by adelie.nysernet.org (Postfix) with ESMTP id 8A670590050 for
> > <bill-tapr at owensfamily.org>; Thu, 13 May 2010 12:24:23 -0400 (EDT)
> >Date: Fri, 14 May 2010 01:54:17 +0930
> >From: "owensfamily.org support" <bill-tapr at owensfamily.org>
> >Subject: setting for your mailbox bill-tapr at owensfamily.org are changed
> >To: <bill-tapr at owensfamily.org>
> >Message-id: <000d01caf2b8$bc233a50$6400a8c0 at willfulb9>
> >
> >SMTP and POP3 servers for bill-tapr at owensfamily.org mailbox are changed.
> Please carefully read the attached instructions before updating settings.
> >
> >
> https://docs.google.com/leaf?id=0BxwkuMlR0FFdMzY1NDE1ZDYtZDU4NS00YTYzLTlmM2EtMjQ1NzM3OGQwOWRm
>
> This one points to a Google Docs page, containing a downloadable Windows
> executable file, setup.exe, 161792 bytes.
>
> Bill.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
--
Peter Moody Google 1.650.253.7306
Network Security Engineer pgp:0xC3410038
More information about the nsp-security
mailing list