PDA

View Full Version : Ahhh, it must be Christmas...



Stone
December 25th, 2012, 06:02 AM
I've gotten over 100 SPAM pfishing attempts in the last day or so in the form of a notification of a package being held by USPS, FedEx, etc. Roughly half of these were intercepted by my spam filter and half were not. Included in the email was a link to a zipped .exe which I'm sure is nasty. Unlike most spam I get which originates at Google, this stuff is mostly from Comcast.

Have any of you noticed a similar barrage of this type of crap?

Is anybody interested in reversing the .exe to have a look at what it wants to do to you? That's way beyond my capabilities. If so, I'll put the ZIP where you can get it.

Chuck(G)
December 25th, 2012, 10:22 AM
All the time, Stone. My spam filter picks most of it up, but the occasional bit of malware makes it to the inbox.

Stone
December 25th, 2012, 10:32 AM
I'm not getting the normal influx these last few days. I'm getting over 100/day additional of the exact same message -- letter for letter, regarding a missed package delivery that is being held for me. Seems like a special Xmas Assault. :-) And I'm getting them at a variety of different addresses, about 15 -20 addys.

NeXT
December 25th, 2012, 12:20 PM
Google mail does an INCREDIBLE job. I have not seen a piece of junk mail in my inbox for almost a year.

Stone
December 25th, 2012, 01:26 PM
Google mail does an INCREDIBLE job. I have not seen a piece of junk mail in my inbox for almost a year.Too bad it's a one→way street. :-) Way more than half of the SPAM I get originates at Google even though, as previously mentioned, this current assault is mainly from Comcast.

Compgeke
December 25th, 2012, 01:44 PM
I haven't noticed any spam like that, but I have gotten around 12 "Your video has been approved by Youtube" spam messages that I don't even bother to open, just delete. All have made it to my spam folder however.

Chuck(G)
December 25th, 2012, 02:18 PM
Most of the Fedex phishing spam that I get has .docx files attached. Exe files are extraordinarily stupid as most mailservers reject them out of hand.

Ole Juul
December 25th, 2012, 02:33 PM
Google mail does an INCREDIBLE job.

I wholeheartedly agree. Most of the spam that I see on a forum that I administer, comes from Gmail. Google does a very good job at serving spammers. ;)


I have not seen a piece of junk mail in my inbox for almost a year.

Oh, that way around! That's different. :) I think that is the result of a well managed server. I don't get much spam either and haven't gotten extra recently. I even have a lot of e-mail addresses and some are published on the web. Since I hate missing e-mails, I set the filters to be very permissive and I rarely get even one spam a month. I'm using a professionally managed mail server and I think that is what is lacking at some services where users get a lot of spam. The providers just don't care, or perhaps are just incompetent at what is probably a demanding job. Paid for services have a vested interest in keeping their servers clean and off public spam block lists. Google, on the other hand, couldn't care less about what spews from their servers, choosing only to keep their intentional services desirable.

Stone
December 25th, 2012, 02:48 PM
Most of the Fedex phishing spam that I get has .docx files attached. Exe files are extraordinarily stupid as most mailservers reject them out of hand.No attachment here... just a link to a ZIP file (with an EXE inside).

Chuck(G)
December 25th, 2012, 03:27 PM
No attachment here... just a link to a ZIP file (with an EXE inside).

Heck, if I don't recognize the address, I don't click. I have been getting a lot of Turkish-language SPAM lately; my wife seem to get a ton of Italian spam. Go figure--I don't think I've visited a Turkish web site in 10 years and I know my wife doesn't speak Italian...

Stone
December 25th, 2012, 03:48 PM
I have been getting a lot of Turkish-language SPAM lately; my wife seem to get a ton of Italian spam. Go figure--I don't think I've visited a Turkish web site in 10 years and I know my wife doesn't speak Italian...I don't remember anyone ever accuse spammers of being intelligent. :-)

DOS lives on!!
December 25th, 2012, 04:49 PM
The spam filter for my regular email caught 22 spam messages today alone. Most of it was the same stuff I've received in faxes before. The infamous, "I'm from South Africa and have recently inherited a relative's fortune and would be ecstatic to give you a lump sum of it." It is annoying, but it gave a good laugh on this Christmas day.

Stone
December 25th, 2012, 05:07 PM
This is basically what I've gotten several hundred of in the past few days:


FedEx
Order: VGH-8129-5845777881
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier
was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show
this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
FedEx 1995-2012


Obviously it's an outsourced design since FedEx doesn't call itself the post office and even the slobs there can compose a better note than this one.

The Trojan payload is in the d/l.

barythrin
December 25th, 2012, 06:13 PM
I've seen them but since they're painfully obvious malicious attempts it's not been much on my mind about it. I suppose yes it sucks that an innocent user could be tricked I suppose if they've never been educated on computer security or security awareness. There used to be sort of a security product challenge for vendors to think about. "Put your mother (or grandmother) on this machine on the internet. Now make it safe."

Wonder if your antivirus at least catches it for what it is (if you download the zip and scan it). Some of the unadvanced (exe) attached zips these days get by virus scanners by password protecting the zip with something simple that they mention on the email. It's unfortunate but that gets right past any mail AV scanner and it's up to the end user's system to detect the threat at that point.

Ole Juul
December 25th, 2012, 07:28 PM
"Put your mother (or grandmother) on this machine on the internet. Now make it safe."

I'd say "put your son (or grandson) on this machine". In my experience it's the under 30 crowd that follows the "click 'til you drop" philosophy. Older women tend to be able to read, and even listen. :)

Chuck(G)
December 25th, 2012, 08:21 PM
Yeah, the Fedex fakes have been flowing in, but not quite the same as yours:


From - Wed Oct 24 09:27:11 2012
X-Account-Key: account5
X-UIDL: O)3!!0BR"!',("!;c"!!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: from pop.where.secureserver.net [72.167.82.11]
Received: (qmail 16482 invoked by uid 30297); 24 Oct 2012 09:49:39 -0000
Received: from unknown (HELO p3pismtp01-020.prod.phx3.secureserver.net) ([10.6.12.25])
(envelope-sender <vina@ravel.ufrj.br>)
by p3plsmtp10-06.prod.phx3.secureserver.net (qmail-1.03) with SMTP
X-IronPort-Anti-Spam-Result: AvplABW2h1CSpCBGWmdsb2JhbABED4NPgjaCM4I+hA2td4QIgQ MBFwwJBhYmAYIWMggiTyEZAgQpAgEBAQ4FBQMGAgILAwGGAoF8 AQEPAZlzhliHdFiEJoIwgSkDAYoEkTmBEgOOdIEghV8GhkAbiH mDFgJOggA
Received: from mailserver.ravel.ufrj.br (HELO ravel.ufrj.br) ([146.164.32.70])
by p3pismtp01-020.prod.phx3.secureserver.net with ESMTP; 24 Oct 2012 02:49:38 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by ravel.ufrj.br (Postfix) with ESMTP id 31319DCC22;
Wed, 24 Oct 2012 06:43:02 -0200 (BRST)
X-Virus-Scanned: amavisd-new at ravel.ufrj.br
Received: from ravel.ufrj.br ([127.0.0.1])
by localhost (ravel.ufrj.br [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 8gZxZAONIw29; Wed, 24 Oct 2012 06:43:00 -0200 (BRST)
Received: from ravel.ufrj.br (ravel.ufrj.br [146.164.32.70])
by ravel.ufrj.br (Postfix) with ESMTP id 5E173DCB98;
Wed, 24 Oct 2012 06:42:55 -0200 (BRST)
Date: Wed, 24 Oct 2012 06:42:54 -0200 (BRST)
From: Fedex Compny <vina@ravel.ufrj.br>
Reply-To: c_fedex@yahoo.cn
Message-ID: <439974101.405462.1351068174198.JavaMail.root@ravel .ufrj.br>
Subject:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_405460_736005756.1351068174195"
X-Originating-IP: [115.241.64.172]
X-Mailer: Zimbra 7.2.0_GA_2669 (zclient/7.2.0_GA_2669)
To: undisclosed-recipients:;
X-Nonspam: None
X-UIDL: O)3!!0BR"!',("!;c"!!

------=_Part_405460_736005756.1351068174195
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


------=_Part_405460_736005756.1351068174195
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name="FEDEX PARCEL.docx"
Content-Disposition: attachment; filename="FEDEX PARCEL.docx"
Content-Transfer-Encoding: base64


Interesting thing is that it appears to have been sent from Brazil.

NeXT
December 25th, 2012, 08:33 PM
I wholeheartedly agree. Most of the spam that I see on a forum that I administer, comes from Gmail. Google does a very good job at serving spammers. ;)



Oh, that way around! That's different. :) I think that is the result of a well managed server. I don't get much spam either and haven't gotten extra recently. I even have a lot of e-mail addresses and some are published on the web. Since I hate missing e-mails, I set the filters to be very permissive and I rarely get even one spam a month. I'm using a professionally managed mail server and I think that is what is lacking at some services where users get a lot of spam. The providers just don't care, or perhaps are just incompetent at what is probably a demanding job. Paid for services have a vested interest in keeping their servers clean and off public spam block lists. Google, on the other hand, couldn't care less about what spews from their servers, choosing only to keep their intentional services desirable.

Filters are awesome. AS the mail comes in the obvious spam is put in one folder, forum related messages liek PM's and account resets go to another, work goes to another, CCtalk in another and the likes with whatever else like craigslist replies and more time sensitive items directly dropping into the inbox folder. In the hotmail days I had to deal with 20+ messages per day down to three or four average. Makes outlook sessions on dialup not rape the connection as the inbox updates.

Tor
December 26th, 2012, 05:11 AM
I wholeheartedly agree. Most of the spam that I see on a forum that I administer, comes from Gmail. Google does a very good job at serving spammers. ;)
Are you sure about that? It's not easy to spam through gmail's servers.. check the mailheaders: Where did the spam originate from? It could be that the 'From:' address was simply set to a gmail account. I get lots of those, but they're not from gmail really.


I have been getting a lot of Turkish-language SPAM lately; my wife seem to get a ton of Italian spam. Go figure--I don't think I've visited a Turkish web site in 10 years and I know my wife doesn't speak Italian... I'm envious.. :) I've received Turkish spam for at least ten years, and I don't speak Turkish. I speak some Italian though but I never get Italian spam! ;)

-Tor

Stone
December 26th, 2012, 05:27 AM
Are you sure about that? It's not easy to spam through gmail's servers.. check the mailheaders: Where did the spam originate from? It could be that the 'From:' address was simply set to a gmail account. I get lots of those, but they're not from gmail really.Yes, it's definately from Google. Here's a sample of some of my Spamcop reports:


Report History:

Submitted: Monday, December 03, 2012 9:20:42 PM -0500:
here

5887303859 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5887303859) ( 209.85.223.182 ) To: abuse@google.com

Submitted: Monday, December 03, 2012 9:20:41 PM -0500:
here

5887308372 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5887308372) ( 209.85.223.182 ) To: abuse@google.com

Submitted: Monday, December 03, 2012 9:20:13 PM -0500:
here

5887302761 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5887302761) ( 209.85.223.182 ) To: abuse@google.com

Submitted: Sunday, December 02, 2012 6:56:02 AM -0500:
ATM Notice.....

5886754838 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5886754838) ( 209.85.210.172 ) To: abuse@google.com

Submitted: Sunday, December 02, 2012 6:56:00 AM -0500:
ATM Notice.....

5886749562 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5886749562) ( 209.85.210.172 ) To: abuse@google.com

Submitted: Sunday, December 02, 2012 6:55:28 AM -0500:
ATM Notice.....

5886748239 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5886748239) ( 209.85.210.172 ) To: abuse@google.com

Submitted: Thursday, November 29, 2012 4:01:30 PM -0500:
Respond

5886126209 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5886126209) ( 209.85.210.181 ) To: abuse@google.com

Submitted: Thursday, November 29, 2012 4:01:27 PM -0500:
Respond

5886134982 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5886134982) ( 209.85.210.181 ) To: abuse@google.com

Submitted: Thursday, November 29, 2012 4:01:25 PM -0500:
Respond

5886130945 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5886130945) ( 209.85.210.181 ) To: abuse@google.com

Submitted: Thursday, November 29, 2012 6:25:23 AM -0500:
FWD: hey dave

5885899206 (http://www.vintage-computer.com/sc?track=http%3A%2F%2Ft.co%2FT0RcECPt) ( http://t.co/T0RcECPt ) To: tcoabuse@twitter.com
5885899205 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5885899205) ( 77.121.52.144 ) To: abuse@volia.net
5885899204 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5885899204) ( 77.121.52.144 ) To: abuse@crimea.volia.ua
5885899203 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5885899203) ( 77.121.52.144 ) To: noc@crimea.volia.ua
5885899202 (http://www.vintage-computer.com/mcgi?action=gettrack&reportid=5885899202) ( 65.55.116.7 ) To: report_spam@hotmail.com




Although, I must admit, Comcast is coming up to and possibly surpassing Google lately.

barythrin
December 26th, 2012, 08:29 AM
I forget how nice it was to route my incoming mail through my own mail server. Spamassassin was great and using procmail rules it was easy to block new spam for the stuff the commercial products missed.

Ole Juul
December 26th, 2012, 01:10 PM
Are you sure about that? It's not easy to spam through gmail's servers.. check the mailheaders: Where did the spam originate from? It could be that the 'From:' address was simply set to a gmail account. I get lots of those, but they're not from gmail really.
That's a good point. Unfortunately these are forum registrations so don't have any mailheaders. However, to add weight to your comment, I have also noticed that most of the spam did come from China or Russia. I've blocked large swaths of IP addresses from that part of the world with some success.

Nevertheless, Gmail, Yahoo, and Hotmail, have become the major addresses given. It is possible that they are bogus, but putting a block on just those domains stops the spam almost entirely. I think it would be worthwhile if we all blocked those domains.

I'm against the use of free e-mail servers. They have always made the internet landscape a worse place. It's too bad that there are so many otherwise good people who buy into the G-mail ecosystem. I can't fight that, but if they were blocked a lot, perhaps they would eventually learn and get a real e-mail address. Most ISPs and hosting companies offer managed e-mail servers and there are quite a few services, either built off that, or standalone, who offer permanent e-mail addresses and don't allow spam to be sent from their systems - unlike the "big three" mentioned above who seem to specialize in that particular service.

Stone
December 26th, 2012, 01:20 PM
SpamCop resolves the spoofed addys and reveals them so if you're ever in doubt as to the origin of an email you can take it there.

Tor
December 26th, 2012, 02:22 PM
That's a good point. Unfortunately these are forum registrations so don't have any mailheaders. Ah, forum spam. Yes, I see that a lot (I moderate another forum). They register with a gmail address, because the forum requires email verification and I've already blocked most of the disposable address domains. The IP addresses they post from though show that they are mostly in certain Asian countries. After blocking those disposable-address domains and tons of IP ranges the spam has slowed down quite a lot, but obiously I see more of the gmail, yahoo and other addresses now - they don't get to register with disposable addresses anymore. But that's just the registration part, it has nothing to do with what happens after.



Nevertheless, Gmail, Yahoo, and Hotmail, have become the major addresses given. It is possible that they are bogus, but putting a block on just those domains stops the spam almost entirely. I think it would be worthwhile if we all blocked those domains.

I'm against the use of free e-mail servers. They have always made the internet landscape a worse place. It's too bad that there are so many otherwise good people who buy into the G-mail ecosystem. I can't fight that, but if they were blocked a lot, perhaps they would eventually learn and get a real e-mail address. Most ISPs and hosting companies offer managed e-mail servers and there are quite a few services, either built off that, or standalone, who offer permanent e-mail addresses and don't allow spam to be sent from their systems - unlike the "big three" mentioned above who seem to specialize in that particular service.
I disagree with you there though. I'm fiercly against Facebook and those kind of "services", and I don't use google+ either, but IMO and experience the time when it was possible to manage email on a corporate server has passed. I know no solution which can handle the amount of email I'm getting these days, except gmail. I use our corporate email servers for the limited range of work email I have to handle, but the tens of thousands emails I have archived at this point simply cannot be handled by the corporate solutions. I use the latter for all things needing confidentiality, but all my mailing list subscriptions and the like I must manage with gmail, there just isn't any other way. Just a single mailing list like the Git deveveloper and user's list is up to a hundred emails a day. The Classic Computer lists.. other developer lists.. it goes on and on. I use gmail for that, and for everything needing tons of space.

The price for having readily available gmail accounts is that spammers will also use them. I think it's a reasonably acceptable price, considering that forum spam can be managed by IP source filtering and use of services like stopforumspam.com, and email spam is extremely well filtered by gmail when you use your own gmail account (as was said in the posting which first mentioned gmail and started this discussion).

However, I do have a work method in place where I don't do my google searches from a browser where I'm logged in to gmail, and I filter those searches through tools, proxies and filters which remove other identifiers and trackers. At least enough to make me feel more comfortable. They don't seem to be able to pass me 'personal' ads, as I've seen happening if you use e.g. an Android device where you're permanently identified. Those kind of ads are just extremely annoying but I don't see them on my desktop computers.

Tor

Stone
December 26th, 2012, 03:29 PM
... considering that forum spam can be managed by IP source filtering and use of services like stopforumspam.com, ...I tried all kinds of approaches and nothing comes even close to Akismet. It, alone, is even better than the combined conglomerate of packages I was using prior to it being installed. I was always moderating SPAM and with Akismet there is now nothing to do. Been using it for about two years and it's certainly consistent.

Ole Juul
December 26th, 2012, 04:32 PM
I know no solution which can handle the amount of email I'm getting these days, except gmail. I use our corporate email servers for the limited range of work email I have to handle, but the tens of thousands emails I have archived at this point simply cannot be handled by the corporate solutions.
I have not experienced that level of e-mail usage since I an an amateur, but the hosting company I use certainly offers a well managed service and you get to create almost as many e-mail addresses as you want - I get 2000 with a cheap account. That said, those kinds of services may not have quite as much storage as you may need - only 2GB for my account (https://www.superb.net/web-hosting/web-hosting-plans.php), and still only 4GB with a slightly more expensive plan. I guess you would have to do some judicious archiving if you were to live with that amount of space.

Caluser2000
December 26th, 2012, 06:15 PM
Funny that I've got two yahoo email addresses and I get about half a dozen spam emails a month. I feel so left out..............

Ole Juul
December 26th, 2012, 07:31 PM
Funny that I've got two yahoo email addresses and I get about half a dozen spam emails a month. I feel so left out..............

We're talking the other way around. :) IOW, spam that is coming from these providers. Of course one can filter out spam from getting to one's inbox, but it is another story to stop people from sending it out. Only the mail server provider can do anything about that. Some providers, like Hotmail, obviously don't care one bit or perhaps even encourage the sending out of spam from their servers.

DOS lives on!!
December 27th, 2012, 04:21 AM
I once removed a virus from a friend's computer in which the virus was auto-sending loads of spam messages. It tried to send out a total around 10,000 messages in four days to randomly generated email accounts (most were GMail and Yahoo) to see which ones were active accounts.