Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Interesting email trick

From: nexus () patrol i-way co uk (Nexus)
Date: Sun, 22 Sep 2002 18:21:57 +0100
Hi folks,
    I'm used to the normal javascript, IFRAME launcher and webbug type
rubbish in spam/virus emails, but I recently received a variation on the
trick, using a MIME encoded URL to an exe - not seen one of these before and
wondered if anyone else has.   Needless to say it failed ;-)   Full email is
below (headers intact in the spirit of full disclosure and reader feedback)
but the HTML tags are changed so that any gentle souls that have HTML email
don't get panicked.   Nice little 'ol me eh ? ;-)
Apologies if this is old hat as it's the standard porn related dialler scam.

Cheers.

Received: from mmx (abn195-23.izmir-ports.kablonet.net.tr [195.174.195.23])
 by i-way.co.uk (8.9.3/8.9.3) with SMTP id RAA16671
 for <nexus () patrol i-way co uk>; Sun, 22 Sep 2002 17:00:13 +0100
Message-Id: <200209221600.RAA16671 () i-way co uk>
From: "coderip" <coderip () hotmail com>
To: "nexus" <nexus () patrol i-way co uk>
Subject: Petek Dinçöz
Date: Sun, 22 Sep 02 18:48:11 GTB Standart Saati
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary=
"----=_NextPart_000_0011_4656D047.3C13EA3F"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
X-UIDL: ?DM"!I<`"!eQl!!A,H!!

------=_NextPart_000_0011_4656D047.3C13EA3F
Content-Type: text/html; charset= "windows-1254"
Content-Transfer-Encoding: base64

PGh0bWw+DQo8dGl0bGU+UGV0ZWsgRGlu5/Z6PC90aXRsZT4NCjxjZW50ZXI+DQo8YSBocmVm
PWh0dHA6Ly82NC4yMzkuNDQuMjAvZGlhbGVycy8xMDA1L2Jpemlta2l6bGFyLmV4ZSBib3Jk
ZXI9MD48aW1nIHNyYz1odHRwOi8vd3d3Lmt1ZHVyZHVtLmNvbS9wZXRlay5qcGc+PC9hPg0K
PGJyPjxpbWcgc3JjPWh0dHA6Ly93d3cua3VkdXJkdW0uY29tL2NnaS1iaW4vdm90ZS5jZ2k/
ZmlsZT10ZXN0IGhlaWdodD0xIHdpZHRoPTE+DQo8L2NlbnRlcj4NCjwvaHRtbD4gICAg
------=_NextPart_000_0011_4656D047.3C13EA3F--

To save you the few seconds needed to decode that block, it is:

[html]
[title]Petek Dint÷z[/title]
[center]
[a href=http://64.239.44.20/dialers/1005/bizimkizlar.exe border=0][img
src=http:
//www.kudurdum.com/petek.jpg][/a]
[br][img src=http://www.kudurdum.com/cgi-bin/vote.cgi?file=test height=1
width=1
]
[/center]
[/html]
Previous By Date Next
Previous By Thread Next

Current thread: