> Ron, is this a worm, or spam? that's a MSIE exploit, from what > I can find on the web. > > If it's spam, we need to enhance our HTML parser to pick up > the "data" attribute as a href. if that's the case, could you > open a bug on bugzilla.SpamAssassin.org?
All of the samples I've captured make me think it's a worm that looks like spam, or else the worm somehow replaced some routines on infected Windows machines that the spammers are using. When I sent the email, I actually meant to send it to the clamav list, because I suspected it was worm related, but didn't have any way to know for sure. Even though it's a worm (I used lynx to go to the web site and see what gets retrieved-- it's a 'page.hta' with instructions to then execute some visual basic stuff), should a bug be opened anyway? Could spammers use this same object data method to pull down the text of their spam, even if they're not trying to execute code on your machine? -ron
