New submission from Izak Burger:
Hi all,
I received this abuse report from Hetzner. Basically someone used a
file attached on an issue to bounce people to a spam site for
buying... medication.
I've cleared out the contents of the file so that this will no longer
happen. The original file is in the roundup user's home directory,
file 291, in case anyone wants to see what was done, but it appears to
be a javascript attack. It seems that by adding "doc7.html" to the url
it has somehow tricked the tracker into serving the content with a
content type of html, which causes the browser to execute the
javascript, instead of displaying plain text as it should.
----- attachment -----
Return-path: <spamli...@spamlinks.blocklist.de>
Envelope-to: ab...@hetzner.de
Delivery-date: Fri, 18 Jan 2013 18:11:51 +0100
Received: from [46.252.24.141] (helo=j15757.servers.jiffybox.net)
by lms.your-server.de with esmtp (Exim 4.74)
(envelope-from <spamli...@spamlinks.blocklist.de>)
id 1TwFTr-0005pn-0y
for ab...@hetzner.de; Fri, 18 Jan 2013 18:11:51 +0100
Received: by j15757.servers.jiffybox.net (Postfix, from userid 0)
id B43322375; Fri, 18 Jan 2013 18:24:01 +0100 (CET)
To: ab...@hetzner.de
Subject: [NOREPLY][Blocklist-9095] Spam-Link at your service
X-PHP-Originating-Script: 0:reporting.php
From: Abuse-Team Blocklist.de <spamli...@spamlinks.blocklist.de>
Reply-To: spamli...@spamlinks.blocklist.de
X-Mailer: antiabusemailer
X-Arf: yes
X-Report-ID: 9095
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="81fd830c85363675edb98d2879916d8c"; charset=iso-8859-1
Message-Id: <20130118172401.b43322...@j15757.servers.jiffybox.net>
Date: Fri, 18 Jan 2013 18:24:01 +0100 (CET)
X-Virus-Scanned: Clear (ClamAV 0.97.5/16520/Fri Jan 18 16:15:26 2013)
X-Spam-Score: 1.3 (+)
Delivered-To: he1-ab...@hetzner.de
--81fd830c85363675edb98d2879916d8c
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=utf-8
Hello Abuse-Team,
your server with the IP: 46.4.197.70 is currently hosting a possible scam-site.
This site has reached an Blocklist-Spamscore of 3600. The concerning
site is following site:
http://psf.upfronthosting.co.za/roundup/meta/file291/doc7.html
Please check this site and do a cleanup if necessary. To resolve this
case, please visit
http://spamlinks.blocklist.de/resolve.php?case=190640713c8ae5259fc9ef68229059b026eda118bd5a083b0d27d1a4
You also can parse this mail with X-ARF tools that can be found at
http://www.x-arf.org/specification.html .
We found your address in the abusix abuse contact database at
http://abusix.com/global-reporting/abuse-contact-db . If this contact
is wrong, please inform i...@abusix.com about this.
Please do NOT reply at this email, use the contact form instead.
Regards,
Abuse-Team blocklist.de
http://www.blocklist.de/en/
--81fd830c85363675edb98d2879916d8c
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=utf-8; name="report.txt";
---
Reported-From: spamli...@spamlinks.blocklist.de
Category: fraud
Report-Type: scam
Service: http
Version: 0.1
User-Agent: V.A.L.O.R. 1.0
Date: Fri, 18 Jan 2013 18:24:01 +0100
Source-Type: uri
Source: http://psf.upfronthosting.co.za/roundup/meta/file291/doc7.html
Domain: psf.upfronthosting.co.za
Port: 80
Report-ID: 9...@spamlinks.blocklist.de
Schema-URL: http://www.x-arf.org/schema/fraud_0.1.3.json
Attachment: none
--81fd830c85363675edb98d2879916d8c
----------
messages: 2699
nosy: izak
status: unread
title: Abuse Message
_______________________________________________________
PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za>
<http://psf.upfronthosting.co.za/roundup/meta/issue505>
_______________________________________________________
_______________________________________________
Tracker-discuss mailing list
Tracker-discuss@python.org
http://mail.python.org/mailman/listinfo/tracker-discuss
