Educause Security Discussion mailing list archives
Re: "postcard" spams.
From: Theresa Semmens <theresa.semmens () NDSU EDU>
Date: Tue, 3 Jul 2007 13:03:06 -0500
I'm seeing you have received a "BlueMountain.com greeting from a colleague" Theresa Semmens, CISA NDSU IT Security Officer PO Box 5164 North Dakota State University Fargo, ND Phone: 701-231-5870 FAX: 701-231-8541 Theresa.Semmens () ndsu edu "Opportunity is missed by most people because it is dressed in overalls and looks like work." Thomas Edison -----Original Message----- From: Matthew Gracie [mailto:graciem () CANISIUS EDU] Sent: Tuesday, July 03, 2007 12:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] "postcard" spams. We've been receiving a whole host of "You have received a postcard!" spam, with malware website links embedded in it. For details, see: http://isc.sans.org/diary.html?storyid=3063 I haven't had a whole lot of luck finding information on the method of propagation on this, but it seems to do all of its initial setup from a source UDP port of 26395. At least, that's my observation from a deliberately infected machine and a packet sniffer. Does this jibe with other people's observation of this? The ecard.exe I downloaded from one of the emails has a different MD5 than listed in the SANS article, so I fear there might be copycats and variants out there already. --Matt -- Matt Gracie (716) 888-2403 Information Security Administrator graciem () canisius edu Canisius College ITS 425531N / 0785109W http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- "postcard" spams. Matthew Gracie (Jul 03)
- <Possible follow-ups>
- Re: "postcard" spams. Perry, Jeff (Jul 03)
- Re: "postcard" spams. Theresa Semmens (Jul 03)
- Re: "postcard" spams. David Lundy (Jul 03)
- Re: "postcard" spams. Alan Amesbury (Jul 03)
- Re: "postcard" spams. Les LaCroix (Jul 03)