Security Basics mailing list archives

Re: Can anybody explain this Klez Variant?

From: it_hjw () juno com
Date: Fri, 7 Feb 2003 07:21:21 -0600

Spam is so frustrating.  grrrrrrrrr.   I always report it--It doesn't
stop it from coming, but if I can be an annoyance to them (like they are
to me) then I'll keep doing it.  :)

My ISP just sent me this to report complaints regarding other domains. 
It may help (or may not).  

http://spam.abuse.net/userhelp/howtocomplain.shtml

-HJ

On Thu, 06 Feb 2003 00:04:50 +0000 "Drexcia ====" <drexcia () hotmail com>
writes:

Hi Guys,

A friend of mine received this message supposedly from me in his 
hotmail 
account. Names/Email addresses have been changed but you'll get the 
idea

<snip>

From :    my_name <my_name () excite com au>
To :      myfriend () hotmail com
Subject : A good tool

Date :    Mon, 6 Jan 2003 02:36:46 -0600

   MIME-Version: 1.0
Received: from out009.verizon.net ([206.46.170.131]) by 
mc1-f5.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 
6 Jan 
2003 00:36:47 -0800
Received: from Idxgvfqiv ([198.142.240.35]) by out009.verizon.net 
(InterMail 
vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP id 
<20030106083621.IPQL7162.out009.verizon.net@Idxgvfqiv> for 
<myfriend () hotmail com>; Mon, 6 Jan 2003 02:36:21 -0600
Message-Id: <20030106083621.IPQL7162.out009.verizon.net@Idxgvfqiv>
Return-Path: my_name () verizon net
X-OriginalArrivalTime: 06 Jan 2003 08:36:47.0071 (UTC) 
FILETIME=[BFE38EF0:01C2B55E]

Content-Type: multipart/alternative; 
boundary=OecRB7ZOj28RPW41r0438676cfw002tZA2
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


This is a special good tool
I wish you would like it.

</snip>

I know this looks like a typical Klez message but there are a few 
things 
that have me stumped.

1) The "my_name" email address is an old excite account which hasn't 
been 
used in over 2 years and has been disabled. The "myfriend" address 
was not 
in my address book at this excite account.

2) The return path is "my_name"@verizon.net

3) The source IP has been traced back to a prepaid account with an 
Australian ISP which doesn't require any personal information to 
register.

Obviously my email address has been spoofed and they've used a 
Verizon 
server to send it. Also included was a 112K Attachment called 
href.exe which 
I'm unable to access, presumably Hotmail has stripped it.

Anybody able to help me out with this one? I'm really just wondering 
if 
anybody has seen this before or if this is specifically targeted at 
me.

Many thanks guys..






_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


________________________________________________________________
Sign Up for Juno Platinum Internet Access Today
Only $9.95 per month!
Visit www.juno.com

Current thread:

Can anybody explain this Klez Variant? Drexcia ==== (Feb 06)
- Re: Can anybody explain this Klez Variant? Dan Donkers (Feb 10)
- <Possible follow-ups>
- RE: Can anybody explain this Klez Variant? Anders Reed Mohn (Feb 07)
- Re: Can anybody explain this Klez Variant? it_hjw (Feb 07)