[nsp-sec] Peter may have chased the "mailbox settings" folks off Google

Thu May 13 14:05:56 EDT 2010

And yet another twist, this is live as of this moment,

Microsoft Mail Internet Headers Version 2.0
Received: from BUPWXMT1.cogeco.com ([10.1.1.241]) by BUPWXDB1.cogeco.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Thu, 13 May 2010 13:33:28 -0400
Received: from bupnmail1.cogeco.com ([10.1.1.246]) by BUPWXMT1.cogeco.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Thu, 13 May 2010 13:33:27 -0400
Received: from bupnmail1.cogeco.com (localhost.localdomain [127.0.0.1])
	by localhost (Email Security Appliance) with SMTP id F2E885644AD_BEC37E6B;
	Thu, 13 May 2010 17:33:26 +0000 (GMT)
Received: from host-93-124-75-82.dsl.sura.ru (host-93-124-75-82.dsl.sura.ru [93.124.75.82])
	by bupnmail1.cogeco.com (Sophos Email Appliance) with ESMTP id EB082564455_BEC37DCF;
	Thu, 13 May 2010 17:33:16 +0000 (GMT)
Message-ID: <000d01caf2c2$5d973bd0$6400a8c0 at reestablishingo55>
From: "iTunes Store" <customer.service at itunes.com>
To: <andre.marcoux at cogeco.com>
Subject: Thank you for buying iTunes Gift Certificate!
Date: Thu, 13 May 2010 21:33:14 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam: Not detected
X-Sophos-ESA: [bupnmail1.cogeco.com] 3.5.0.3, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.5.13.172115
Return-Path: reestablishingo55 at reply.worthzone.com
X-OriginalArrivalTime: 13 May 2010 17:33:27.0334 (UTC) FILETIME=[6576C460:01CAF2C2]

> -----Original Message-----
> From: iTunes Store [mailto:customer.service at itunes.com]
> Sent: May-13-10 2:33 PM
> To: André Marcoux
> Subject: Thank you for buying iTunes Gift Certificate!
> 
> Hello!
> 
> You have received an iTunes Gift Certificate in the amount of $50.00
> 
> Then you need to open iTunes. Once you verify your account, $50.00 will
> be credited to your account, so you can start buying music, games,
> video right away.
> 
> https://docs.google.com/leaf?id=0BxwkuMlR0FFdODYyZTRiNjItMzE0OC00NmI4LT
> g4NDgtODQ3NjRhYjA1NTE1
> 
> iTunes Store.

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Chris Morrow
Sent: May-13-10 10:33 AM
To: Krista Hickey
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Peter may have chased the "mailbox settings" folks off Google

----------- nsp-security Confidential --------

Krista Hickey wrote:
> ----------- nsp-security Confidential --------
> 
> Yeah they're still coming in here albeit things have changed and it
> looks like today's sample is either going for 'if we repeat it enough
> they will click' methodology or someone's got some errors in their
> malware package - how it reads and is formatted below is exactly how
> it came in.

snip

> Received: from KOJEEIIF (unknown [41.252.30.2]) 

go nigera! (snip)

> hxxp://sites.google.com/site/doorwaysss/open.zip

this was disabled when I got to it (now)... so maybe we're doing the
right thing already :)

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________