[opensuse] Security related question about one spam mail I got.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I got one spam email, a phishing attempt. No doubts. However, it contains a 3 byte PDF file named index.pdf. What could be its purpose? cer@Telcontar:~/tmp> hexdump -C index.pdf 00000000 ef bb bf |...| 00000003 cer@Telcontar:~/tmp> file index.pdf index.pdf: UTF-8 Unicode text, with no line terminators cer@Telcontar:~/tmp> - -- Cheers Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXg/TaBwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVFkUAoIykcZt6BOtxfpXggDb5 9PNbCEtLAJ483PGDloYitGUa/+x+yXPcZ4enrw== =zCkC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/03/2020 05:51 PM, Carlos E. R. wrote:
I got one spam email, a phishing attempt. No doubts. However, it contains a 3 byte PDF file named index.pdf. What could be its purpose?
cer@Telcontar:~/tmp> hexdump -C index.pdf 00000000 ef bb bf |...| 00000003 cer@Telcontar:~/tmp> file index.pdf index.pdf: UTF-8 Unicode text, with no line terminators cer@Telcontar:~/tmp>
The UTF-8 representation of the BOM is the (hexadecimal) byte sequence 0xEF,0xBB,0xBF https://en.wikipedia.org/wiki/Byte_order_mark -- David C. Rankin, J.D.,P.E.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/01/2020 07.32, David C. Rankin wrote: | On 01/03/2020 05:51 PM, Carlos E. R. wrote: |> |> |> I got one spam email, a phishing attempt. No doubts. However, it |> contains a 3 byte PDF file named index.pdf. What could be its |> purpose? |> |> cer@Telcontar:~/tmp> hexdump -C index.pdf 00000000 ef bb bf |> |...| 00000003 cer@Telcontar:~/tmp> file index.pdf index.pdf: |> UTF-8 Unicode text, with no line terminators |> cer@Telcontar:~/tmp> |> | | The UTF-8 representation of the BOM is the (hexadecimal) byte | sequence 0xEF,0xBB,0xBF | | https://en.wikipedia.org/wiki/Byte_order_mark | No idea what char it would represent. Maybe it is an error, maybe the html source code needs to refer to the pdf file. Just curiosity :-) - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXhB/IAAKCRC1MxgcbY1H 1TULAJ9DSrQHqYYoYX5L3ZiynCK6Chp7TwCgjtujrfSJiDKM+Ff1yVP5r+yiM74= =jjWp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/01/2020 07.32, David C. Rankin wrote: | On 01/03/2020 05:51 PM, Carlos E. R. wrote: |> |> |> I got one spam email, a phishing attempt. No doubts. However, it |> contains a 3 byte PDF file named index.pdf. What could be its |> purpose? |> |> cer@Telcontar:~/tmp> hexdump -C index.pdf 00000000 ef bb bf |> |...| 00000003 cer@Telcontar:~/tmp> file index.pdf index.pdf: |> UTF-8 Unicode text, with no line terminators |> cer@Telcontar:~/tmp> |> | | The UTF-8 representation of the BOM is the (hexadecimal) byte | sequence 0xEF,0xBB,0xBF | | https://en.wikipedia.org/wiki/Byte_order_mark |
No idea what char it would represent. Maybe it is an error, maybe the html source code needs to refer to the pdf file.
It's just someone who screwed up. -- Per Jessen, Zürich (4.8°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/01/2020 14.46, Per Jessen wrote: | Carlos E. R. wrote: |> On 04/01/2020 07.32, David C. Rankin wrote: | On 01/03/2020 |> 05:51 PM, Carlos E. R. wrote: ... |> No idea what char it would represent. Maybe it is an error, |> maybe the html source code needs to refer to the pdf file. | | It's just someone who screwed up. Ok! I'll leave it as that. :-) - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXhDVuAAKCRC1MxgcbY1H 1T/EAJ9jhBej02Mtergkvfm2QKunOWClCwCcDdS3FLkI3QDbI1FVlzMC+OIQAQo= =EY2Z -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/04/2020 12:13 PM, Carlos E. R. wrote:
On 04/01/2020 14.46, Per Jessen wrote: | Carlos E. R. wrote: |> On 04/01/2020 07.32, David C. Rankin wrote: | On 01/03/2020 |> 05:51 PM, Carlos E. R. wrote:
...
|> No idea what char it would represent. Maybe it is an error, |> maybe the html source code needs to refer to the pdf file. | | It's just someone who screwed up.
Ok! I'll leave it as that. :-)
-- Cheers / Saludos,
Carlos E. R. (from 15.1 x86_64 at Telcontar)
It's like the genius opened the .pdf in Notepad and then saved it, notepad write the byte order mark to the beginning of the file and then puked on the remaining binary truncating the file to 3-bytes -- that being the BOM only. (my best guess -- it's harmless) -- David C. Rankin, J.D.,P.E.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/01/2020 06.46, David C. Rankin wrote: | On 01/04/2020 12:13 PM, Carlos E. R. wrote: | It's like the genius opened the .pdf in Notepad and then saved it, | notepad write the byte order mark to the beginning of the file and | then puked on the remaining binary truncating the file to 3-bytes | -- that being the BOM only. | | (my best guess -- it's harmless) Possibly. You see, I'm worried about PDFs in spam because there are known vulnerabilities, using javascript I suppose. At this size it is impossible, but I might not know something. So I asked :-) - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXhHakAAKCRC1MxgcbY1H 1TS3AJ47aqAO750rO8Vs+LkulR1PCsJYYgCbBKYeHFj/x6PjUd3kM8bNnb5q9T8= =ROGY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R. -
David C. Rankin -
Per Jessen