Re: Curious "spam" (or broken viral payload)...

["Mark" <mark () uniontown com>]

My guess:

A Spam "Distributor" has a deal where they will broadcast spam using dynamic
content from a "paying customer".  This "customer" is supposed to place the
desired SPAM message on a web page where the mass spam distributor has a
script that pulls off this desired content to be mailed nightly.  The
customer forgot to place the desired content online, which caused the mass
spammer's script to accidentally obtain an Apache error page as the content,
which was then spread.

Just a guess.

-Mark


----- Original Message -----
From: "Jay D. Dyson" <jdyson () treachery net>
To: "Incidents List" <incidents () securityfocus com>
Sent: Wednesday, January 08, 2003 5:44 PM
Subject: Curious "spam" (or broken viral payload)...


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks,
>
> I deal with despamming quite a bit, so I like to think I've seen
> it all by now.  Even so, this one has me flummoxed.
>
> The following e-mail (appended to the end of this note) arrived in
> my mailbox with a currently-popular spam subject ("New concept of giving
> for [userid]").  The body of the message was base64 encoded.  So I did my
> ARIN lookup on the sender, began composing my complaint to the offending
> ISP, and then decoded the base64 content.
>
> That's where I stopped on a dime.  The message wasn't anything
> remotely resembling a pitch.  In fact, it was a verbatim Apache error
> message (listed following the appended e-mail).
>
> So, all things considered, am I:
>
> 1.  looking at the output from a broken mail worm, or;
> 2.  dealing with a second- or third-rate spammer who just doesn't
>     know what the heck he's spewing out, or;
> 3.  receiving an attempted spam mail through a broken web->mail
>     gateway, or;
> 4.  none of the above?
>
> Right now I'm leaning toward the likelihood of item #3 since the
> mail headers have all the hallmarks of a spam message (forged From: data,
> contemporary spam subject, base64 encoding), but the content just throws
> me off.  It's obviously not a sales pitch and, near as I can see, is a
> genuine Apache error report.  I guess with the proliferation of viral and
> spam trickery with header data, the line between these two forms of
> unsolicited bulk e-mail has blurred.
>
> As an aside, I went to the IP listed in the error and there is
> such a server at that IP and it is running the listed Apache version.
>
> So what's the consensus?  Anyone else seen this in their inbox?
>
> - -Jay
>
> - -----BEGIN ATTACHED MESSAGE-----
>
> Return-Path: <Verenash () mail-online dk>
> Delivered-To: [redacted]
> Received: (qmail 7586 invoked from network); 8 Jan 2003 15:05:16 -0000
> Received: from ca-yuccavalley2a-187.vnnyca.adelphia.net (HELO tboeokc)
(68.66.228.187)
>   by mail.treachery.net with SMTP; 8 Jan 2003 15:05:16 -0000
> From: Freda Craig <Verenash () mail-online dk>
> To: [redacted]
> Subject: New concept of giving for [redacted]
> Date: Wed, 08 Jan 2003 07:14:19 -0800
> Content-Type: text/plain
> Content-Transfer-Encoding: base64
> Message-Id: <bclsobwt () mail-online dk>
> Content-Length: 825
>
> PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4NCjxI
> VE1MPjxIRUFEPg0KPFRJVExFPjUwMCBJbnRlcm5hbCBTZXJ2ZXIgRXJyb3I8L1RJVExFPg0K
> PC9IRUFEPjxCT0RZPg0KPEgxPkludGVybmFsIFNlcnZlciBFcnJvcjwvSDE+DQpUaGUgc2Vy
> dmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIG9yDQptaXNjb25maWd1cmF0aW9u
> IGFuZCB3YXMgdW5hYmxlIHRvIGNvbXBsZXRlDQp5b3VyIHJlcXVlc3QuPFA+DQpQbGVhc2Ug
> Y29udGFjdCB0aGUgc2VydmVyIGFkbWluaXN0cmF0b3IsDQogYXJyb0BhcnJvLnJ1IGFuZCBp
> bmZvcm0gdGhlbSBvZiB0aGUgdGltZSB0aGUgZXJyb3Igb2NjdXJyZWQsDQphbmQgYW55dGhp
> bmcgeW91IG1pZ2h0IGhhdmUgZG9uZSB0aGF0IG1heSBoYXZlDQpjYXVzZWQgdGhlIGVycm9y
> LjxQPg0KTW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGlzIGVycm9yIG1heSBiZSBhdmFpbGFi
> bGUNCmluIHRoZSBzZXJ2ZXIgZXJyb3IgbG9nLjxQPg0KPEhSPg0KPEFERFJFU1M+QXBhY2hl
> LzEuMy4yMCBTZXJ2ZXIgYXQgMjA5LjUxLjE0Mi4xNDAgUG9ydCA4MDwvQUREUkVTUz4NCjwv
> Qk9EWT48L0hUTUw+DQo=
>
> - ----- END ATTACHED MESSAGE -----
>
>
> - -----BEGIN DECODED CONTENTS-----
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>500 Internal Server Error</TITLE>
> </HEAD><BODY>
> <H1>Internal Server Error</H1>
> The server encountered an internal error or
> misconfiguration and was unable to complete
> your request.<P>
> Please contact the server administrator,
>  arro () arro ru and inform them of the time the error occurred,
> and anything you might have done that may have
> caused the error.<P>
> More information about this error may be available
> in the server error log.<P>
> <HR>
> <ADDRESS>Apache/1.3.20 Server at 209.51.142.140 Port 80</ADDRESS>
> </BODY></HTML>
>
> - ----- END DECODED CONTENTS -----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE+HKm/TqL/+mXtpucRAjsqAJ9bNiXDx9hsD/Ac77wXHBItOE/8vACggO4S
> thbW3lsscYSmzc559Nk8GJo=
> =0rWN
> -----END PGP SIGNATURE-----
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com