Security Incidents mailing list archives
Curious "spam" (or broken viral payload)...
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Wed, 8 Jan 2003 14:44:11 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I deal with despamming quite a bit, so I like to think I've seen it all by now. Even so, this one has me flummoxed. The following e-mail (appended to the end of this note) arrived in my mailbox with a currently-popular spam subject ("New concept of giving for [userid]"). The body of the message was base64 encoded. So I did my ARIN lookup on the sender, began composing my complaint to the offending ISP, and then decoded the base64 content. That's where I stopped on a dime. The message wasn't anything remotely resembling a pitch. In fact, it was a verbatim Apache error message (listed following the appended e-mail). So, all things considered, am I: 1. looking at the output from a broken mail worm, or; 2. dealing with a second- or third-rate spammer who just doesn't know what the heck he's spewing out, or; 3. receiving an attempted spam mail through a broken web->mail gateway, or; 4. none of the above? Right now I'm leaning toward the likelihood of item #3 since the mail headers have all the hallmarks of a spam message (forged From: data, contemporary spam subject, base64 encoding), but the content just throws me off. It's obviously not a sales pitch and, near as I can see, is a genuine Apache error report. I guess with the proliferation of viral and spam trickery with header data, the line between these two forms of unsolicited bulk e-mail has blurred. As an aside, I went to the IP listed in the error and there is such a server at that IP and it is running the listed Apache version. So what's the consensus? Anyone else seen this in their inbox? - -Jay - -----BEGIN ATTACHED MESSAGE----- Return-Path: <Verenash () mail-online dk> Delivered-To: [redacted] Received: (qmail 7586 invoked from network); 8 Jan 2003 15:05:16 -0000 Received: from ca-yuccavalley2a-187.vnnyca.adelphia.net (HELO tboeokc) (68.66.228.187) by mail.treachery.net with SMTP; 8 Jan 2003 15:05:16 -0000 From: Freda Craig <Verenash () mail-online dk> To: [redacted] Subject: New concept of giving for [redacted] Date: Wed, 08 Jan 2003 07:14:19 -0800 Content-Type: text/plain Content-Transfer-Encoding: base64 Message-Id: <bclsobwt () mail-online dk> Content-Length: 825 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4NCjxI VE1MPjxIRUFEPg0KPFRJVExFPjUwMCBJbnRlcm5hbCBTZXJ2ZXIgRXJyb3I8L1RJVExFPg0K PC9IRUFEPjxCT0RZPg0KPEgxPkludGVybmFsIFNlcnZlciBFcnJvcjwvSDE+DQpUaGUgc2Vy dmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIG9yDQptaXNjb25maWd1cmF0aW9u IGFuZCB3YXMgdW5hYmxlIHRvIGNvbXBsZXRlDQp5b3VyIHJlcXVlc3QuPFA+DQpQbGVhc2Ug Y29udGFjdCB0aGUgc2VydmVyIGFkbWluaXN0cmF0b3IsDQogYXJyb0BhcnJvLnJ1IGFuZCBp bmZvcm0gdGhlbSBvZiB0aGUgdGltZSB0aGUgZXJyb3Igb2NjdXJyZWQsDQphbmQgYW55dGhp bmcgeW91IG1pZ2h0IGhhdmUgZG9uZSB0aGF0IG1heSBoYXZlDQpjYXVzZWQgdGhlIGVycm9y LjxQPg0KTW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGlzIGVycm9yIG1heSBiZSBhdmFpbGFi bGUNCmluIHRoZSBzZXJ2ZXIgZXJyb3IgbG9nLjxQPg0KPEhSPg0KPEFERFJFU1M+QXBhY2hl LzEuMy4yMCBTZXJ2ZXIgYXQgMjA5LjUxLjE0Mi4xNDAgUG9ydCA4MDwvQUREUkVTUz4NCjwv Qk9EWT48L0hUTUw+DQo= - ----- END ATTACHED MESSAGE ----- - -----BEGIN DECODED CONTENTS----- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>500 Internal Server Error</TITLE> </HEAD><BODY> <H1>Internal Server Error</H1> The server encountered an internal error or misconfiguration and was unable to complete your request.<P> Please contact the server administrator, arro () arro ru and inform them of the time the error occurred, and anything you might have done that may have caused the error.<P> More information about this error may be available in the server error log.<P> <HR> <ADDRESS>Apache/1.3.20 Server at 209.51.142.140 Port 80</ADDRESS> </BODY></HTML> - ----- END DECODED CONTENTS ----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE+HKm/TqL/+mXtpucRAjsqAJ9bNiXDx9hsD/Ac77wXHBItOE/8vACggO4S thbW3lsscYSmzc559Nk8GJo= =0rWN -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Curious "spam" (or broken viral payload)... Jay D. Dyson (Jan 08)
- Re: Curious "spam" (or broken viral payload)... Mark (Jan 09)
- Re: Curious "spam" (or broken viral payload)... GertJan Hagenaars (Jan 09)
- Re: Curious "spam" (or broken viral payload)... John Washington (Jan 21)