Educause Security Discussion mailing list archives

Re: "postcard" spams.

From: David Lundy <dlundy () PACIFIC EDU>
Date: Tue, 3 Jul 2007 11:15:28 -0700

The latest variation is a subject: "July 4th Fireworks Show"
We saw americangreetings.com, 2000greetings.com, and bluemountain.com in
the messages yesterday.  The messages did not seem to vary much last
week, but vary now enough now that new variants get through our spam
filter.

------------------------------------------------
David Lundy
Assistant IT Security Officer
University of the Pacific
Stockton, CA 95211
Email: dlundy () pacific edu
Voice: 209-946-3951
Fax: 209-946-2898         

-----Original Message-----
From: Theresa Semmens [mailto:theresa.semmens () NDSU EDU] 
Sent: Tuesday, July 03, 2007 11:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] "postcard" spams.

I'm seeing you have received a "BlueMountain.com greeting from a
colleague"

Theresa Semmens, CISA
NDSU IT Security Officer
PO Box 5164
North Dakota State University
Fargo, ND 
Phone: 701-231-5870
FAX: 701-231-8541
Theresa.Semmens () ndsu edu

"Opportunity is missed by most people because it is dressed in overalls
and
looks like work."  Thomas Edison

-----Original Message-----
From: Matthew Gracie [mailto:graciem () CANISIUS EDU] 
Sent: Tuesday, July 03, 2007 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "postcard" spams.

We've been receiving a whole host of "You have received a postcard!"
spam, with malware website links embedded in it.

For details, see: http://isc.sans.org/diary.html?storyid=3063

I haven't had a whole lot of luck finding information on the method of
propagation on this, but it seems to do all of its initial setup from a
source UDP port of 26395. At least, that's my observation from a
deliberately infected machine and a packet sniffer.

Does this jibe with other people's observation of this? The ecard.exe I
downloaded from one of the emails has a different MD5 than listed in the
SANS article, so I fear there might be copycats and variants out there
already.

--Matt

-- 
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

"postcard" spams. Matthew Gracie (Jul 03)
- <Possible follow-ups>
- Re: "postcard" spams. Perry, Jeff (Jul 03)
- Re: "postcard" spams. Theresa Semmens (Jul 03)
- Re: "postcard" spams. David Lundy (Jul 03)
- Re: "postcard" spams. Alan Amesbury (Jul 03)
- Re: "postcard" spams. Les LaCroix (Jul 03)