Security Incidents mailing list archives
Re: Curious "spam" (or broken viral payload)...
From: "Mark" <mark () uniontown com>
Date: Wed, 8 Jan 2003 20:39:06 -0500
My guess: A Spam "Distributor" has a deal where they will broadcast spam using dynamic content from a "paying customer". This "customer" is supposed to place the desired SPAM message on a web page where the mass spam distributor has a script that pulls off this desired content to be mailed nightly. The customer forgot to place the desired content online, which caused the mass spammer's script to accidentally obtain an Apache error page as the content, which was then spread. Just a guess. -Mark ----- Original Message ----- From: "Jay D. Dyson" <jdyson () treachery net> To: "Incidents List" <incidents () securityfocus com> Sent: Wednesday, January 08, 2003 5:44 PM Subject: Curious "spam" (or broken viral payload)...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I deal with despamming quite a bit, so I like to think I've seen it all by now. Even so, this one has me flummoxed. The following e-mail (appended to the end of this note) arrived in my mailbox with a currently-popular spam subject ("New concept of giving for [userid]"). The body of the message was base64 encoded. So I did my ARIN lookup on the sender, began composing my complaint to the offending ISP, and then decoded the base64 content. That's where I stopped on a dime. The message wasn't anything remotely resembling a pitch. In fact, it was a verbatim Apache error message (listed following the appended e-mail). So, all things considered, am I: 1. looking at the output from a broken mail worm, or; 2. dealing with a second- or third-rate spammer who just doesn't know what the heck he's spewing out, or; 3. receiving an attempted spam mail through a broken web->mail gateway, or; 4. none of the above? Right now I'm leaning toward the likelihood of item #3 since the mail headers have all the hallmarks of a spam message (forged From: data, contemporary spam subject, base64 encoding), but the content just throws me off. It's obviously not a sales pitch and, near as I can see, is a genuine Apache error report. I guess with the proliferation of viral and spam trickery with header data, the line between these two forms of unsolicited bulk e-mail has blurred. As an aside, I went to the IP listed in the error and there is such a server at that IP and it is running the listed Apache version. So what's the consensus? Anyone else seen this in their inbox? - -Jay - -----BEGIN ATTACHED MESSAGE----- Return-Path: <Verenash () mail-online dk> Delivered-To: [redacted] Received: (qmail 7586 invoked from network); 8 Jan 2003 15:05:16 -0000 Received: from ca-yuccavalley2a-187.vnnyca.adelphia.net (HELO tboeokc)
(68.66.228.187)
by mail.treachery.net with SMTP; 8 Jan 2003 15:05:16 -0000 From: Freda Craig <Verenash () mail-online dk> To: [redacted] Subject: New concept of giving for [redacted] Date: Wed, 08 Jan 2003 07:14:19 -0800 Content-Type: text/plain Content-Transfer-Encoding: base64 Message-Id: <bclsobwt () mail-online dk> Content-Length: 825 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4NCjxI VE1MPjxIRUFEPg0KPFRJVExFPjUwMCBJbnRlcm5hbCBTZXJ2ZXIgRXJyb3I8L1RJVExFPg0K PC9IRUFEPjxCT0RZPg0KPEgxPkludGVybmFsIFNlcnZlciBFcnJvcjwvSDE+DQpUaGUgc2Vy dmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIG9yDQptaXNjb25maWd1cmF0aW9u IGFuZCB3YXMgdW5hYmxlIHRvIGNvbXBsZXRlDQp5b3VyIHJlcXVlc3QuPFA+DQpQbGVhc2Ug Y29udGFjdCB0aGUgc2VydmVyIGFkbWluaXN0cmF0b3IsDQogYXJyb0BhcnJvLnJ1IGFuZCBp bmZvcm0gdGhlbSBvZiB0aGUgdGltZSB0aGUgZXJyb3Igb2NjdXJyZWQsDQphbmQgYW55dGhp bmcgeW91IG1pZ2h0IGhhdmUgZG9uZSB0aGF0IG1heSBoYXZlDQpjYXVzZWQgdGhlIGVycm9y LjxQPg0KTW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGlzIGVycm9yIG1heSBiZSBhdmFpbGFi bGUNCmluIHRoZSBzZXJ2ZXIgZXJyb3IgbG9nLjxQPg0KPEhSPg0KPEFERFJFU1M+QXBhY2hl LzEuMy4yMCBTZXJ2ZXIgYXQgMjA5LjUxLjE0Mi4xNDAgUG9ydCA4MDwvQUREUkVTUz4NCjwv Qk9EWT48L0hUTUw+DQo= - ----- END ATTACHED MESSAGE ----- - -----BEGIN DECODED CONTENTS----- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>500 Internal Server Error</TITLE> </HEAD><BODY> <H1>Internal Server Error</H1> The server encountered an internal error or misconfiguration and was unable to complete your request.<P> Please contact the server administrator, arro () arro ru and inform them of the time the error occurred, and anything you might have done that may have caused the error.<P> More information about this error may be available in the server error log.<P> <HR> <ADDRESS>Apache/1.3.20 Server at 209.51.142.140 Port 80</ADDRESS> </BODY></HTML> - ----- END DECODED CONTENTS ----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE+HKm/TqL/+mXtpucRAjsqAJ9bNiXDx9hsD/Ac77wXHBItOE/8vACggO4S thbW3lsscYSmzc559Nk8GJo= =0rWN -----END PGP SIGNATURE----- --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Curious "spam" (or broken viral payload)... Jay D. Dyson (Jan 08)
- Re: Curious "spam" (or broken viral payload)... Mark (Jan 09)
- Re: Curious "spam" (or broken viral payload)... GertJan Hagenaars (Jan 09)
- Re: Curious "spam" (or broken viral payload)... John Washington (Jan 21)