Greeting Card Idiots

[corkyg]

This really getting to be a lame joke - but for the past month, my ISP has been blocking attempt after attempt for dimwits all over the world trying to send me malware disguised as a greeting card from various unnamed sources. These are all auto deleted on the ISP server and never get to me. How stupid do these yo-yos think we are? They are all over the world - DE, ES. RU. and lots of .EDUs in the USA.

Anyone else see these?

 

[montag451]

Lots and lots of them.

 

[jadinolf]

They are new to me. Only fix I can think of is to delete them.

 

[Schadenfroh]

It must work on someone, hence the reason they still exist.

 

[montag451]

They are virii spread by pdf - a new invention.

Luckily for some, they are only able to infect computers with Adobe pdf creator (I think), so that discounts most home computers.

 

[John]

I get variants of these and the ones with a .pdf attached, heh. They are good for business!

-----Original Message-----
From: e-cards.com [mailtoxrtb@friendlys.com]
Sent: Saturday, July 21, 2007 8:00 PM
To: John
Subject: You've received a greeting ecard from a Class mate!

Hi. Class mate has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http://76.80.234.224/?ad4eac80481465.........................

Or copy and paste it into your browser's "Location" box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mailer-Daemon,
e-cards.com

 

[corkyg]

Yeah, John . . . I can see where this would be good for your business. It has become quite widespread, and there is an article on it in this morning's Cleveland Plain Dealer.

These potential threats are all being corralled by my ISP's Anti-Spam Anti Virus screen provided by Postini. I get to see the file names and senders in quarantine, then delete 'em.

The main clue is that legitimate e-cards will always say WHO the card is from - not the generic friend, classmate, neighbor, etc. I suppose there must be a lot of suckers out there.

I am inclined to start listing the perps that send them. Here is the list - I will add to it by edit:

obljr@fginsurance.com
gssb@pasadenaisd.org
rcae@hvsinternational.com
jzisn@demenus.de
atsce@smecindia.com

I get about 5 of these a day now. The list will grow.

 

[montag451]

Just let the spambots do their work.

Ah, sweet justice.
Do you think they will start spamming themselves?

 

[FLegman]

Lol@ "Do you think they will start spamming themselves?". That will indeed be sweet and great fun i guess.

@Corkyg : its a good idea and initiative to create a list of the spamming addresses, however im wondering if there is a kind of central database dealing in fighting spam, where to imput these informations as to allow any user of such a system to automatically update his email client. Otherwise it will be a daily copy & paste for each and every one i guess, at least for those who still find the will to combat.

 

[FLegman]

Lol@ "Do you think they will start spamming themselves?". That will indeed be sweet and great fun i guess.

@Corkyg : its a good idea and initiative to create a list of the spamming addresses, however im wondering if there is a kind of central database dealing in fighting spam, where to imput these informations as to allow any user of such a system to automatically update his email client. Otherwise it will be a daily copy & paste for each and every one i guess, at least for those who still find the will to combat.

 

[mechBgon]

Originally posted by: corkyg

I am inclined to start listing the perps that send them. Here is the list - I will add to it by edit:

<email addresses removed>

I get about 5 of these a day now. The list will grow.

It's extremely common for the supposed sender's address to be spoofed, though.

 

[corkyg]

Yes, I realize that sender addresses can be spoofed - but the "spoofee" can then do something about it.

I don't mind adding names every day. Right now, nothing much else to do - waiting at Cleveland Clinic for wife's surgery, etc.

Here's the list as of this morning:

obljr@fginsurance.com
gssb@pasadenaisd.org
rcae@hvsinternational.com
jzisn@demenus.de
atsce@smecindia.com

Cheers!

 

[mechBgon]

Originally posted by: corkyg
Yes, I realize that sender addresses can be spoofed - but the "spoofee" can then do something about it.

In practical terms, what do you expect the spoofee would do about a worldwide botnet of, say, 50,000 Spam bots that happen to have picked their address to spoof?

 

[corkyg]

Originally posted by: mechBgon
In practical terms, what do you expect the spoofee would do about a worldwide botnet of, say, 50,000 Spam bots that happen to have picked their address to spoof?

BSOM! But it makes me feel good to post the names, and they may not be spoofs. I have added all the domains to my black list. Here's the latest accumulation:

obljr@fginsurance.com
gssb@pasadenaisd.org
rcae@hvsinternational.com
jzisn@demenus.de
atsce@smecindia.com
vubkc@mb.infoweb.ne.jp
olx@grm.net
jaak@xtra.co.nz

 

[mechBgon]

Originally posted by: corkyg

Originally posted by: mechBgon
In practical terms, what do you expect the spoofee would do about a worldwide botnet of, say, 50,000 Spam bots that happen to have picked their address to spoof?

BSOM! But it makes me feel good to post the names, and they may not be spoofs. I have added all the domains to my black list. Here's the latest accumulation:

<email addresses removed>

If those email addresses belong to innocent spoofees, it's not exactly a service to those people for you to post the addresses here for Spambots to harvest. If you want to strike back at the StormWorm/Peacom botmasters who are probably behind this setup, this isn't going to do it.

Also, if you get an email spoofed from the gmail.com domain, are you going to blacklist Gmail? Hotmail? Yahoo? Especially if the real source wasn't Gmail, Hotmail or Yahoo.

 :light:
:Q

Just sayin'...

 

[corkyg]

Yes, that might be true, but noit in these instances. Postini allows me to examine all the headers and DNS/IP numbers. Thoise can be correlated with WHOIS.

As a matter of fact, I have blocked the yahoo domain. I have no personal contact that uses yahoo - only spammers. If I do have a friend with yahoo, hotmail, or gmail, I except them on a white list.

Note that the majority of these perps are offshore domains - I know no one in .de,.jp, .nz, or .it.

obljr@fginsurance.com
gssb@pasadenaisd.org
rcae@hvsinternational.com
jzisn@demenus.de
atsce@smecindia.com
vubkc@mb.infoweb.ne.jp
olx@grm.net
jaak@xtra.co.nz
acaqv@tele2.it

 

[mechBgon]

And you know how to discern between spoofed headers and authentic ones, right?

 

[jadinolf]

I changed my email address two days ago. Now they send MY SPAM emails into Cyberspace.

 

[corkyg]

Originally posted by: mechBgon
And you know how to discern between spoofed headers and authentic ones, right?

You tell me . . .
-----------------------
"Envelope From:
Envelope To:
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original
Date: Sat, 28 Jul 2007 09:27:20 -0500
From: "AmericanGreetings.Com"
MIME-Version: 1.0
Message-ID: <003001c7d123$684436f0$3ca4a8c6@fqno.psbt>
Received: from source ([75.120.157.83]) by exprod7mx53.postini.com ([64.18.6.14]) with SMTP; Sat, 28 Jul 2007 10:26:46 EDT
To:
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2499
X-Msmail-Priority: Normal
X-PSTN-Addresses: from [3236/152]
X-PSTN-Disposition: quarantine
X-PSTN-Levels: (S: 0.00151/96.42684 R:95.9108 P:95.9108 M:94.9308 C:98.6951 )
X-PSTN-Settings: 5 (2.0000:2.0000) s gt3 gt2 gt1 r p m c
X-PSTN-Xfilter: y
X-Priority: 3
X-Pstnvirus: W32/Zhelatin.gen!eml
Date: Sat, 28 Jul 2007 09:27:20 -0500
From: duhv@lycos.com>
To: <corky@theriver.com>
Subject: You've received a greeting ecard from a Friend!


Hi. Friend has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD


If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

hXXp://75.8.83.52/?8911e6c36a4bc955099675c500


Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Administrator,
AmericanGreetings.Com"
-------------------
Now there is a new wrinkle. Invitations in PDF format. But, Postini traps all of 'em. It is very good.

 

[mechBgon]

Please try not to post live hyperlinks to malware, k? Fixed it for you. You might want to obscure your own email address too, so Spambots don't come by and sign you up for yet more Spam.

The header doesn't have enough info to tell whether it is an innocent party or a deliberate Spammer, btw. If you want to do some damage to the StormWorm guys who are behind all this, begin a "viral" campaign to get everyone you know to

1) secure and update their computers and avoid risk insofar as possible

2) never buy anything advertised by Spammers

 

[corkyg]

Very good points, Mech. I researched this one:

"196.205.193.123"

The message used a spoof address of '@cable.comcast.com" That is not really Comcast's domain - they are different. Anyway, the source IP address was in Cairo, Egypt, and belongs to a somewhat notorious personae in the spamming and malware world.

None of this stuff ever reaches me - it is all trapped at my ISP's server by their Postini system which I have set to "Most Aggressive."

Good point about securing and updating one's computer with the latest and greatest patches, etc. All the folks in my circle do that religiously every few days.

I am currently using AVG, and Vista's built in security - but again, it never gets tested because all the crap is quarantined by Postini at Nationwide.

I won't add any more names - but the discussion has been useful, IMHO. Good security evolves from awareness and common sense.

Thanks for the protective editing.

 

[FLegman]

Greetings MechBgon,

Very intersting security tutorial, i find it very usefull.
I will however like to know the impact of using a software like Shadow User on top/in combination (with the recommendations in the Tutorial) or in a "stand alone" mode on the whole security strategy.

Thank you for your Tutorial and your support.

 

[mechBgon]

Originally posted by: FLegman
Greetings MechBgon,

Very intersting security tutorial, i find it very usefull.
I will however like to know the impact of using a software like Shadow User on top/in combination (with the recommendations in the Tutorial) or in a "stand alone" mode on the whole security strategy.

Thank you for your Tutorial and your support.

That might be a good topic to post in Security as its own thread. I haven't used that type of software or researched it, but I think there are some people here who have

 

[corkyg]

Here's another good example of double spoofing. The message openly came from American Greeting Cards. The spoof sender was uxb@jesc.de - a German address. But here is what the IP address of the source revealed:
-----------------------------------
"IP Information for 41.251.74.16
IP Location: Morocco Afrinic
IP Address: 41.251.74.16
Blacklist Status: Clear

Whois Record
inetnum: 41.251.0.0 - 41.251.255.255
netname: IAM
descr: ADSL subscriber - CASA and SOUTH morocoo
country: MA
admin-c: TA388-AFRINIC
tech-c: OA78-AFRINIC
status: ASSIGNED PA
mnt-by: ONPT-MNT
source: AFRINIC # Filtered
parent: 41.248.0.0 - 41.251.255.255

person: Trabelsi Amine
address: Direction Internet Hay Riad Rabat
address: Morocco
phone: +212 37718987
fax-no: +212 3737710994
e-mail:
nic-hdl: TA388-AFRINIC
remarks: data has been transferred from RIPE Whois Database 20050221
source: AFRINIC # Filtered

person: Oumlil Aniss
address: Direction Internet ,division operation Rabat
address: Maroc
phone: +212 61870276
fax-no: +212 37725194
e-mail:
nic-hdl: OA78-AFRINIC
remarks: data has been transferred from RIPE Whois Database 20050221
source: AFRINIC # Filtered"
-----------------------
In other words, the real sender was in Morocco, North Africa.

 

[RebateMonger]

These are being sent by 'bots - people's computers taken over by malware and sending the SPAM without the knowledge of the PC's owner.

This is what happens when folks use the Internet without caring where they go and what they click on. Plus, they likely don't have up-to-date virus protection and spyware protection.