RE: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales@microbazaar.com) $175.85 USD using PayPal
Does anyone know what the story is behind these in my inbox? -----Original Message----- From: PayPal [mailto:zjdzaoveykwuqz@mail15.com] Sent: Friday, September 09, 2005 2:57 PM To: suse-security@suse.com Subject: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales@microbazaar.com) $175.85 USD using PayPal wedding dress from mating ritual, over rattlesnake, and over turkey are what made America great!Any gypsy can take a peek at spider over, but it takes a real ribbon to inside lover.toward hockey player sell to dust bunny living with tomato.
Hello, not yet. we'll have to lookout, Flavius Farmer, Alan wrote:
Does anyone know what the story is behind these in my inbox?
-----Original Message----- From: PayPal [mailto:zjdzaoveykwuqz@mail15.com] Sent: Friday, September 09, 2005 2:57 PM To: suse-security@suse.com Subject: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales@microbazaar.com) $175.85 USD using PayPal
wedding dress from mating ritual, over rattlesnake, and over turkey are what made America great!Any gypsy can take a peek at spider over, but it takes a real ribbon to inside lover.toward hockey player sell to dust bunny living with tomato.
On Friday 09 September 2005 20.19, Flavius Porumb wrote:
Hello,
not yet. we'll have to lookout,
Flavius
Farmer, Alan wrote:
Does anyone know what the story is behind these in my inbox?
-----Original Message----- From: PayPal [mailto:zjdzaoveykwuqz@mail15.com] Sent: Friday, September 09, 2005 2:57 PM To: suse-security@suse.com Subject: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales@microbazaar.com) $175.85 USD using PayPal
wedding dress from mating ritual, over rattlesnake, and over turkey are what made America great!Any gypsy can take a peek at spider over, but it takes a real ribbon to inside lover.toward hockey player sell to dust bunny living with tomato.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Its a testrun for a spam attack probably. Seems like someone is trying out their brand new spamattack tool. (Same type of message, different sender) I suspect we can look forward to several more of these kinds, and probably later loaded with links or viruses (aimed for the MS menace Outlook and Outlook Express) -- /Rikard --------------------------------------------------------------- Rikard Johnels email : rikard.j@rikjoh.com Web : http://www.rikjoh.com Mob : +46 (0)763 19 76 25 PGP : 0x461CEE56 ---------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-09-09 at 21:41 +0200, Rikard Johnels wrote:
Its a testrun for a spam attack probably. Seems like someone is trying out their brand new spamattack tool. (Same type of message, different sender) I suspect we can look forward to several more of these kinds, and probably later loaded with links or viruses (aimed for the MS menace Outlook and Outlook Express)
I think it is a standard spam, with a random text to confuse filters, and then an attachment that got filtered out and that was the real payload:
X-MIME-Notice: attachments may have been removed from this message
The "scary" part is that all those "from" addresses must be subscribed... - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDIiI+tTMYHG2NR9URAkxTAJ9hpxNSgKBUDyzurSSlLJzXlZ256gCdFq38 /EaM5KtR47tr/jeDNB5JbDw= =8H4E -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2005-09-09 at 21:41 +0200, Rikard Johnels wrote:
Its a testrun for a spam attack probably. Seems like someone is trying out their brand new spamattack tool. (Same type of message, different sender) I suspect we can look forward to several more of these kinds, and probably later loaded with links or viruses (aimed for the MS menace Outlook and Outlook Express)
I think it is a standard spam, with a random text to confuse filters, and then an attachment that got filtered out and that was the real payload:
It's a ploy to deceive the gullible into thinking that an "alert" from eBay is legitimate. Right after I got this, I got a message from "eBay" telling me I had to log onto their website and update all my user info, or "eBay" would terminate my account within 24 hours. As I always do, I forwarded them to the real eBay abuse department, and got, as always, a return message thanking me for alerting them to a new scam. The shocking thing, to me, at least, is that there are enough fools in the world that fall for this sort of thing to make it worthwhile to the criminals who do this. John Perry
On Saturday 10 September 2005 02.00, Carlos E. R. wrote:
The Friday 2005-09-09 at 21:41 +0200, Rikard Johnels wrote:
Its a testrun for a spam attack probably. Seems like someone is trying out their brand new spamattack tool. (Same type of message, different sender) I suspect we can look forward to several more of these kinds, and probably later loaded with links or viruses (aimed for the MS menace Outlook and Outlook Express)
I think it is a standard spam, with a random text to confuse filters, and
then an attachment that got filtered out and that was the real payload:
X-MIME-Notice: attachments may have been removed from this message
The "scary" part is that all those "from" addresses must be subscribed...
-- Cheers, Carlos Robinson
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Haven't bothered with checking the headres to see if the originating sender is a subscribed user or if this someone has managed to infiltrate the listserver someother way. As i was saying, the mail is a testrun to be able so see if the mails get through to the list users. Thus "only" random, almost coherent texts. The next is probably some stupid "click here" link or something. Or even a virus/trojan aimed at MS. I have seen it a few times before.. :( -- /Rikard --------------------------------------------------------------- Rikard Johnels email : rikard.j@rikjoh.com Web : http://www.rikjoh.com Mob : +46 (0)763 19 76 25 PGP : 0x461CEE56 ---------------------------------------------------------------
On Saturday 10 September 2005 11:37, Rikard Johnels wrote:
Haven't bothered with checking the headres to see if the originating sender is a subscribed user
Only the envelope sender needs to be subscribed, and only the suse list admin can see that. The mail sent out to subscribers have all that info stripped out
As i was saying, the mail is a testrun to be able so see if the mails get through to the list users. Thus "only" random, almost coherent texts. The next is probably some stupid "click here" link or something. Or even a virus/trojan aimed at MS.
The random text is an old trick to get past antispam programs. My guess is that it originally had an attachment with some virus or whatever that they hoped the user would click. SUSE's list server of course strips off all attachments, so we never saw it. At least that's my uneducated guess
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2005-09-10 at 11:51 +0200, Anders Johansson wrote:
On Saturday 10 September 2005 11:37, Rikard Johnels wrote:
Haven't bothered with checking the headres to see if the originating sender is a subscribed user
Only the envelope sender needs to be subscribed, and only the suse list admin can see that. The mail sent out to subscribers have all that info stripped out
Correct. That "envelope from" user must be subscribed, but it can be an impostor (somebody posing as any of us).
As i was saying, the mail is a testrun to be able so see if the mails get through to the list users. Thus "only" random, almost coherent texts. The next is probably some stupid "click here" link or something. Or even a virus/trojan aimed at MS.
The random text is an old trick to get past antispam programs. My guess is that it originally had an attachment with some virus or whatever that they hoped the user would click.
SUSE's list server of course strips off all attachments, so we never saw it.
That's what the header:
X-MIME-Notice: attachments may have been removed from this message
means.
At least that's my uneducated guess
Exactly what I said - being two of us, it is probably an educated guess ;-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDIs4+tTMYHG2NR9URAo/2AJ9fU6gPlCJxKobB94i27lZ0ljcWzwCfYkTU dC30lsp81X2YjCHwuKKJgok= =kUQW -----END PGP SIGNATURE-----
On September Saturday 10 2005 8:14 am, Carlos E. R. wrote:
The Saturday 2005-09-10 at 11:51 +0200, Anders Johansson wrote:
On Saturday 10 September 2005 11:37, Rikard Johnels wrote:
Haven't bothered with checking the headres to see if the originating sender is a subscribed user
Only the envelope sender needs to be subscribed, and only the suse list admin can see that. The mail sent out to subscribers have all that info stripped out
Correct. That "envelope from" user must be subscribed, but it can be an impostor (somebody posing as any of us).
As i was saying, the mail is a testrun to be able so see if the mails get through to the list users. Thus "only" random, almost coherent texts. The next is probably some stupid "click here" link or something. Or even a virus/trojan aimed at MS.
The random text is an old trick to get past antispam programs. My guess is that it originally had an attachment with some virus or whatever that they hoped the user would click.
SUSE's list server of course strips off all attachments, so we never saw it.
That's what the header:
X-MIME-Notice: attachments may have been removed from this message
means.
<snip> FYI I have received a bunch of these lately.. they usually , but not always have a *.gif attached. I suspect that is "the sleeper" either as a test to see if they can get thru, OR it contains something malicious in it. Makes it difficult for us right now, since My nephew is one of those Coasties ( Coast Guardsmen ) who is dealing w/ the mess in the Gulf .. They have been pulling up between 12 and 20 people a day, and that is just guys assigned to his group. So he keeps sending photos of the devastation , and since his is a windows user ( tho considering getting rid of it..... , another of my "takeovers of MS desktops" projects.) Still, it can make it tough, since these folks sending the types of messages in the OP email. After all, what about an email fro a family member.. w/ an attachment that is jpg, png, gif etc. or even that claims to be an html page they are working on, and want you to look at. I usually send a phone message to ask if he sent a photo.. but that can get "tejus" ( comic variant of tedious, and Expensive .. HE is not in my free group and is not technically in the States at all. So , although my phone can do international I'm betting that Cingular charges up the ying yang for the non Cingular connections.. OTH, one can actually do almost instant message exchanges w/ him when he's flying.. talk about how many "bars do you have?" His phone must have 20! ;-} Still, since he is a windows user at present.. I figure better to check, than click on one message/attachment his phone may be sending w/o him knowing... Soon tho.. -- j registered linux user #363029
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2005-09-10 at 19:36 -0400, jfweber wrote:
I have received a bunch of these lately.. they usually , but not always have a *.gif attached. I suspect that is "the sleeper" either as a test to see if they can get thru, OR it contains something malicious in it.
I usually check them with a mail program in a text console, like Pine: looking carfully at the headers I usually can learn if it is bona fide or not. Also, spammassassin report helps, even if it was not clasisfied as spam. Some graphic mail agents, like balsa, that is configured not to follow external links in html code, are prety safe - although some holes have been reported in some image viewvers, hopefully solved by now. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDJCVqtTMYHG2NR9URAvRpAKCWSb3Tw5yyQUrJIg2bps3BbrR/hACdGSSm Llp4C3rWdFZul9//By4U7FU= =Wo0U -----END PGP SIGNATURE-----
participants (7)
-
Anders Johansson -
Carlos E. R. -
Farmer, Alan -
Flavius Porumb -
jfweber@bellsouth.net -
John Perry -
Rikard Johnels