Security Basics mailing list archives
Re: Can anybody explain this Klez Variant?
From: it_hjw () juno com
Date: Fri, 7 Feb 2003 07:21:21 -0600
Spam is so frustrating. grrrrrrrrr. I always report it--It doesn't stop it from coming, but if I can be an annoyance to them (like they are to me) then I'll keep doing it. :) My ISP just sent me this to report complaints regarding other domains. It may help (or may not). http://spam.abuse.net/userhelp/howtocomplain.shtml -HJ On Thu, 06 Feb 2003 00:04:50 +0000 "Drexcia ====" <drexcia () hotmail com> writes:
Hi Guys, A friend of mine received this message supposedly from me in his hotmail account. Names/Email addresses have been changed but you'll get the idea <snip> From : my_name <my_name () excite com au> To : myfriend () hotmail com Subject : A good tool Date : Mon, 6 Jan 2003 02:36:46 -0600 MIME-Version: 1.0 Received: from out009.verizon.net ([206.46.170.131]) by mc1-f5.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 6 Jan 2003 00:36:47 -0800 Received: from Idxgvfqiv ([198.142.240.35]) by out009.verizon.net (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP id <20030106083621.IPQL7162.out009.verizon.net@Idxgvfqiv> for <myfriend () hotmail com>; Mon, 6 Jan 2003 02:36:21 -0600 Message-Id: <20030106083621.IPQL7162.out009.verizon.net@Idxgvfqiv> Return-Path: my_name () verizon net X-OriginalArrivalTime: 06 Jan 2003 08:36:47.0071 (UTC) FILETIME=[BFE38EF0:01C2B55E] Content-Type: multipart/alternative; boundary=OecRB7ZOj28RPW41r0438676cfw002tZA2 Content-Type: text/html Content-Transfer-Encoding: quoted-printable This is a special good tool I wish you would like it. </snip> I know this looks like a typical Klez message but there are a few things that have me stumped. 1) The "my_name" email address is an old excite account which hasn't been used in over 2 years and has been disabled. The "myfriend" address was not in my address book at this excite account. 2) The return path is "my_name"@verizon.net 3) The source IP has been traced back to a prepaid account with an Australian ISP which doesn't require any personal information to register. Obviously my email address has been spoofed and they've used a Verizon server to send it. Also included was a 112K Attachment called href.exe which I'm unable to access, presumably Hotmail has stripped it. Anybody able to help me out with this one? I'm really just wondering if anybody has seen this before or if this is specifically targeted at me. Many thanks guys.. _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
________________________________________________________________ Sign Up for Juno Platinum Internet Access Today Only $9.95 per month! Visit www.juno.com
Current thread:
- Can anybody explain this Klez Variant? Drexcia ==== (Feb 06)
- Re: Can anybody explain this Klez Variant? Dan Donkers (Feb 10)
- <Possible follow-ups>
- RE: Can anybody explain this Klez Variant? Anders Reed Mohn (Feb 07)
- Re: Can anybody explain this Klez Variant? it_hjw (Feb 07)