We've seen enough that I sent out a warning to all users in my domain to delete. It seems that the source mail server is being spoofed as well as the source address. My analysis shows each e-mail having a separate source address coming from all over the US and Amsterdam, I didn't see any other countries represented. Tracing several messages from the time they come into the perimeter until they are ultimately delivered shows no attachments or links, just the numbers. I don't have the facilities to capture the messages intact as they come in to do a full reconstruction before they get to the mail defenses so, I would bow to a full byte by byte analysis to show that the messages are indeed "clean". The only reasons I can think of for these e-mails are either new malware is being field tested, (zombies?), someone's probes have gone awry or someone is building a list of valid e-mails. If you shotgun e-mails at a domain and remove any e-mails addresses that return an NDR and you are left with a list of addresses that have some confidence of being real.
Can someone check in who has been able to do a complete analysis of the mail? -B- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 1:44 AM To: [email protected] Subject: Strange mail with number in subject line and body We have received a few strange emails (from Korea and France) which lists a three character number in the subject line and a different three digit character number in the body, no attachments. The sender (from field) has been spoofed and displays the receivers name (to field). I did a search on google but could not find any further information. Has any seen or know where/why these emails are being received? Maybe a sdbot infection on zombie PC? ------------------------------------------------------------------------ ------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------ ------ ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
