Educause Security Discussion mailing list archives

Re: "postcard" spams.

From: Theresa Semmens <theresa.semmens () NDSU EDU>
Date: Tue, 3 Jul 2007 13:03:06 -0500

I'm seeing you have received a "BlueMountain.com greeting from a colleague"

Theresa Semmens, CISA
NDSU IT Security Officer
PO Box 5164
North Dakota State University
Fargo, ND
Phone: 701-231-5870
FAX: 701-231-8541
Theresa.Semmens () ndsu edu

"Opportunity is missed by most people because it is dressed in overalls and
looks like work."  Thomas Edison

-----Original Message-----
From: Matthew Gracie [mailto:graciem () CANISIUS EDU]
Sent: Tuesday, July 03, 2007 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "postcard" spams.

We've been receiving a whole host of "You have received a postcard!"
spam, with malware website links embedded in it.

For details, see: http://isc.sans.org/diary.html?storyid=3063

I haven't had a whole lot of luck finding information on the method of
propagation on this, but it seems to do all of its initial setup from a
source UDP port of 26395. At least, that's my observation from a
deliberately infected machine and a packet sniffer.

Does this jibe with other people's observation of this? The ecard.exe I
downloaded from one of the emails has a different MD5 than listed in the
SANS article, so I fear there might be copycats and variants out there
already.

--Matt

--
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

"postcard" spams. Matthew Gracie (Jul 03)
- <Possible follow-ups>
- Re: "postcard" spams. Perry, Jeff (Jul 03)
- Re: "postcard" spams. Theresa Semmens (Jul 03)
- Re: "postcard" spams. David Lundy (Jul 03)
- Re: "postcard" spams. Alan Amesbury (Jul 03)
- Re: "postcard" spams. Les LaCroix (Jul 03)