Educause Security Discussion mailing list archives
Re: "postcard" spams.
From: David Lundy <dlundy () PACIFIC EDU>
Date: Tue, 3 Jul 2007 11:15:28 -0700
The latest variation is a subject: "July 4th Fireworks Show" We saw americangreetings.com, 2000greetings.com, and bluemountain.com in the messages yesterday. The messages did not seem to vary much last week, but vary now enough now that new variants get through our spam filter. ------------------------------------------------ David Lundy Assistant IT Security Officer University of the Pacific Stockton, CA 95211 Email: dlundy () pacific edu Voice: 209-946-3951 Fax: 209-946-2898 -----Original Message----- From: Theresa Semmens [mailto:theresa.semmens () NDSU EDU] Sent: Tuesday, July 03, 2007 11:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] "postcard" spams. I'm seeing you have received a "BlueMountain.com greeting from a colleague" Theresa Semmens, CISA NDSU IT Security Officer PO Box 5164 North Dakota State University Fargo, ND Phone: 701-231-5870 FAX: 701-231-8541 Theresa.Semmens () ndsu edu "Opportunity is missed by most people because it is dressed in overalls and looks like work." Thomas Edison -----Original Message----- From: Matthew Gracie [mailto:graciem () CANISIUS EDU] Sent: Tuesday, July 03, 2007 12:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] "postcard" spams. We've been receiving a whole host of "You have received a postcard!" spam, with malware website links embedded in it. For details, see: http://isc.sans.org/diary.html?storyid=3063 I haven't had a whole lot of luck finding information on the method of propagation on this, but it seems to do all of its initial setup from a source UDP port of 26395. At least, that's my observation from a deliberately infected machine and a packet sniffer. Does this jibe with other people's observation of this? The ecard.exe I downloaded from one of the emails has a different MD5 than listed in the SANS article, so I fear there might be copycats and variants out there already. --Matt -- Matt Gracie (716) 888-2403 Information Security Administrator graciem () canisius edu Canisius College ITS 425531N / 0785109W http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- "postcard" spams. Matthew Gracie (Jul 03)
- <Possible follow-ups>
- Re: "postcard" spams. Perry, Jeff (Jul 03)
- Re: "postcard" spams. Theresa Semmens (Jul 03)
- Re: "postcard" spams. David Lundy (Jul 03)
- Re: "postcard" spams. Alan Amesbury (Jul 03)
- Re: "postcard" spams. Les LaCroix (Jul 03)