Educause Security Discussion mailing list archives

"postcard" spams.

From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Tue, 3 Jul 2007 13:38:46 -0400

We've been receiving a whole host of "You have received a postcard!"
spam, with malware website links embedded in it.

For details, see: http://isc.sans.org/diary.html?storyid=3063

I haven't had a whole lot of luck finding information on the method of
propagation on this, but it seems to do all of its initial setup from a
source UDP port of 26395. At least, that's my observation from a
deliberately infected machine and a packet sniffer.

Does this jibe with other people's observation of this? The ecard.exe I
downloaded from one of the emails has a different MD5 than listed in the
SANS article, so I fear there might be copycats and variants out there
already.

--Matt

--
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

"postcard" spams. Matthew Gracie (Jul 03)
- <Possible follow-ups>
- Re: "postcard" spams. Perry, Jeff (Jul 03)
- Re: "postcard" spams. Theresa Semmens (Jul 03)
- Re: "postcard" spams. David Lundy (Jul 03)
- Re: "postcard" spams. Alan Amesbury (Jul 03)
- Re: "postcard" spams. Les LaCroix (Jul 03)