thanks sa info.. :) ============================
On Sun, Sep 27, 2009 at 7:05 AM, hard wyrd <[email protected]> wrote: > Attack emails can be malware delivery, cross-site scripting attack XSS), > plain spam, or phishing. > > Just how do you identify an attack email? Simple. Make sure view the email > message in its original format - the format that is being parsed by the SMTP > servers. In the original view, we will see where the email message came > from, which SMTP server sent it, which google servers certified and > delivered it. Using this type of scrutiny, we will be certain that either > the email message is valid, or it is an attack email. > > In Gmail, click on the pull down arrow beside the "Reply" link, the choose > "Show original". You will see something like so: > > Delivered-To: [email protected] > Received: by 10.100.173.4 with SMTP id v4cs172442ane; > Sat, 26 Sep 2009 14:36:25 -0700 (PDT) > Received: by 10.210.96.1 with SMTP id t1mr1875666ebb.17.1254000984341; > Sat, 26 Sep 2009 14:36:24 -0700 (PDT) > Return-Path: <[email protected]> > Received: from out1.fundp.ac.be (out1.fundp.ac.be [138.48.4.135]) > by mx.google.com with ESMTP id > 1si2472743ewy.110.2009.09.26.14.36.23; > Sat, 26 Sep 2009 14:36:24 -0700 (PDT) > Received-SPF: pass (google.com: domain of [email protected] > 138.48.4.135 as permitted sender) client-ip=138.48.4.135; > Authentication-Results: mx.google.com; spf=pass (google.com: domain of > [email protected] designates 138.48.4.135 as permitted sender) > [email protected] > Received: from webkot.fundp.ac.be (webkot.fundp.ac.be [138.48.182.50]) > by out1.fundp.ac.be (8.13.1/8.13.1) with ESMTP id n8QLaH5h004646 > for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 > Received: from localhost (webkot.fundp.ac.be [127.0.0.1]) > by webkot.fundp.ac.be (Postfix) with ESMTP id 788FC6701CC > for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 (CEST) > X-Virus-Scanned: amavisd-new at webkot.be > X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char > 0D > hex): From: Microsoft Update <[email protected]>\r > Received: from webkot.fundp.ac.be ([138.48.182.50]) > by localhost (webkot.be [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id w5UwNEEEgEGp for <[email protected]>; > Sat, 26 Sep 2009 23:36:17 +0200 (CEST) > Received: by webkot.fundp.ac.be (Postfix, from userid 81) > id 517796701CE; Sat, 26 Sep 2009 23:35:20 +0200 (CEST) > To: [email protected] > Subject: Please, update your computer ! > From: Microsoft Update <[email protected]> > Reply-To: > MIME-Version: 1.0 > Content-Type: text/html > Content-Transfer-Encoding: 8bit > Message-Id: <[email protected]> > Date: Sat, 26 Sep 2009 23:35:20 +0200 (CEST) > X-FUNDP-MailScanner-Information: Please contact the ISP for more > information > X-FUNDP-MailScanner: Found to be clean > X-FUNDP-MailScanner-From: [email protected] > X-Spam-Status: No > > > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> > <html> > <head> > > <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"> > <title></title> > > > </head> > <body> > > <font color="#587edc" size="3"><b>We invite > you to update your computer. </b></font><br> > > <br> > > To install the latest version of the browser, go to the site by > clicking on the link below: <br> > > <a href="http://tinyurl.com/y8gr9u5";><br> > > http://update.microsoft.com/windowsupdate/computerno=25451511/ </a><font > size="2"><br> > > <br> > > </font>Once the update download, follow these steps: <font size="2"><br> > > <ol> > > <li>Look WindowsUpdate file, usually it is on the > desktop after the download. </li> > > <li>Double Click WindowsUpdate </li> > > <li>Wait 2 minutes for the update is done and it's good</li> > > </ol> > > </font> > </body> > </html> > > This email claims that it came from Microsoft Windows Update. But looking > at the mail header, it is farther from the truth. > > Delivered-To: [email protected] > Received: by 10.100.173.4 with SMTP id v4cs172442ane; > Sat, 26 Sep 2009 14:36:25 -0700 (PDT) > Received: by 10.210.96.1 with SMTP id t1mr1875666ebb.17.1254000984341; > Sat, 26 Sep 2009 14:36:24 -0700 (PDT) > *Return-Path: <[email protected]>* > *Received: from out1.fundp.ac.be (out1.fundp.ac.be [138.48.4.135]) > by mx.google.com with ESMTP id > 1si2472743ewy.110.2009.09.26.14.36.23; > Sat, 26 Sep 2009 14:36:24 -0700 (PDT)* > Received-SPF: pass (google.com: domain of [email protected] > 138.48.4.135 as permitted sender) client-ip=138.48.4.135; > Authentication-Results: mx.google.com; spf=pass (google.com: domain of > [email protected] designates 138.48.4.135 as permitted sender) > [email protected] > *Received: from webkot.fundp.ac.be (webkot.fundp.ac.be [138.48.182.50]) > by out1.fundp.ac.be (8.13.1/8.13.1) with ESMTP id n8QLaH5h004646 > for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 > Received: from localhost (webkot.fundp.ac.be [127.0.0.1]) > by webkot.fundp.ac.be (Postfix) with ESMTP id 788FC6701CC > for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 (CEST)* > X-Virus-Scanned: amavisd-new at webkot.be > X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char > 0D > hex): From: Microsoft Update <[email protected]>\r > *Received: from webkot.fundp.ac.be ([138.48.182.50]) > by localhost (webkot.be [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id w5UwNEEEgEGp for <[email protected]>; > Sat, 26 Sep 2009 23:36:17 +0200 (CEST) > Received: by webkot.fundp.ac.be (Postfix, from userid 81) > id 517796701CE; Sat, 26 Sep 2009 23:35:20 +0200 (CEST)* > > So if I'm going to reply to this email, I'll be most certainly either get > to send email to the spammer/phisher/bot owner, or my reply email will be > dropped/bounced provided that the SMTP server was a hacked node. > > Another thing to note is in the body of the email message. > > To install the latest version of the browser, go to the site by > clicking on the link below: <br> > > *<a href="http://tinyurl.com/y8gr9u5";><br>* > > http://update.microsoft.com/windowsupdate/computerno=25451511/ </a><font > size="2"><br> > > <br> > > Yes, the link doesn't point to a valid Microsoft website :). Most likely > this will be either a dropper, or an XSS initiator. > > What can you do at this point in time? Do not click the link, delete the > email immediately. If you are adventurous enough, you can trace where the > server is. And if you are "crafty" enough, communicate with the "owner". > > That's it for this public service message. Good luck and stay safe! > > > > > -- > Penguin, penguin, and more penguin. > > Believe that within the brain is a brain, and within it another brain, and > so on and so forth. > > > -- > Penguin, penguin, and more penguin. > > Believe that within the brain is a brain, and within it another brain, and > so on and so forth. > > _________________________________________________ > Kagay-Anon Linux Users' Group (KLUG) Mailing List > [email protected] (http://lists.linux.org.ph/mailman/listinfo/klug) > Searchable Archives: http://archives.free.net.ph > -- ================== Mobile #: +63916-3338326 Telephone #: Iligan City: (+63)(63) 221-1122 Cagayan de Oro City: (088) 350-7211 St. Michael's College (SA) http://www.smciligan.edu.ph [email protected] http://www.kagayan.com http://dev.kagayan.com http://www.zabyer.org CdeO webby: - http://cdo.kagayan.com - http://cagayandeoro.kagayan.com ------- Got my Own Hacker Key: v3sw3BHhw5ln2pr5OFPck3ma2u4MLw5XVm+5l5UCi5Ne4t3b5en5g5RaIs5MSr3p2 http://www.hackerkey.com Registered Linux User: #439468
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://lists.linux.org.ph/mailman/listinfo/klug) Searchable Archives: http://archives.free.net.ph
