Matt wrote:
Nick,
You're always trying to mess with me.
True. You are an easy target!
Since it appears that you want for me to give my 2 cents, here it is.
Thanks for the analysis. All I could tell was it seemed strange.
-Nick
Definitely malware. I received a copy myself at about the same time
from a different host. The person is using hacked sites to not only
store the payload, but also do the mailings. This one was sent from
the host on a hacked site and linked to a file on another hacked
site. The copy that I received passed spam blocking, but my logs show
the same domain (probably are many more), but it came from a different
IP and the Mail From had tale-tale signs of being from a hacked site
([EMAIL PROTECTED]).
This is hard to filter with standard methods unless the pattern
doesn't change.
You should send a copy of your message to Sniffer, and maybe note the
submission to the Sniffer list, though I'm sure that Pete is seeing
this also.
Matt
Nick Hayer wrote:
What do you think?
I asked Matt and he said for me to try the link :)
-Nick
Received: from mx2.madriveraccess.com [12.152.254.14] by
mx1.vtbass.com with ESMTP
(SMTPD32-8.15) id A234DC20330; Fri, 20 Jan 2006 20:45:24 -0500
Received: from hugin5.snet.uvm.dk ([195.231.243.86]) by
mx2.madriveraccess.com with Microsoft SMTPSVC(6.0.3790.1830);
Fri, 20 Jan 2006 20:45:24 -0500
Received: from there (localhost [127.0.0.1])
by hugin5.snet.uvm.dk (AIX4.3/8.9.3p2/8.9.3) with SMTP id CAA167452
for [EMAIL PROTECTED]; Sat, 21 Jan 2006 02:45:20 +0100
Date: Sat, 21 Jan 2006 02:45:20 +0100
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Possible Spam(high)]-new years pics
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 21 Jan 2006 01:45:24.0894 (UTC)
FILETIME=[591A7BE0:01C61E2C]
X-RBL-Warning: FILTER.FOREIGN: Message failed FILTER.FOREIGN test
(line 85, weight 0)
X-RBL-Warning: FILTER.WEBMAIL: Message failed FILTER.WEBMAIL test
(line 3, weight 2)
X-Note: RECIPIENTS: <[EMAIL PROTECTED]>
X-Note:========================
X-Note: This email was scanned for spam. [Details at
http://spamstats.madriveraccess.com]
X-Note: This email has been virus scanned by F-Prot,McAfee AV, and
ClamAV.
X-Note: Please send abuse reports to [EMAIL PROTECTED]
X-Country-Chain: DENMARK->UNITED STATES->destination
X-Hello: hugin5.snet.uvm.dk
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Sent from: [Revdns: hugin5.snet.uvm.dk] [RemoteHostDomain:
parrishillfarm.com] [IP: 195.231.243.86] [SenderHost: yahoo.com]
X-Note: Spam [v:2.0.6.16] tests: RHSBL.MAILPOLICE.WEBMAIL [0],
BITMASK.MPBL.FORGEDDOMAIN [4], FILTER.FOREIGN [0], FILTER.WEBMAIL
[2], FILTER.COMBO.FOREIGN [3], FILTER.COMBO.FORGED-DOMAIN [4]
X-Note: Total spam weight of this E-mail is 17.
X-Note: Scan time: 20:45:41 on 20 Jan 2006
X-Note: Queue name: D92340DC20330199F.SMD
X-Note:========================
i dont know how to attach them here, you can download at
http://finsage.com/newyears.scr
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
