Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Emails -- What are they?

From: wayne dawson <waydaws () telus net>
Date: Wed, 07 Jun 2006 23:33:55 -0700
Simon Smith wrote:

Hi List,
    I've had roughly one dozen people forward emails to me from
different companies asking me to figure out what these emails are. The
emails appear to be emails from the from the recipient. For example,
John Doe appears to be sending an email to himself, but he's not. In
reality when checking the mail server logs I find that the mails
originate from the Internet.  Other emails like the one below contain a
different sender than the recipient but the contents of the emails are
the same and they are still from the same domain.


-------------------- BEGIN EMAIL ----------------------

Received: from 83.145.66.70 ([172.18.12.134])
 by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built
Sep
 9 2005)) with ESMTP id <0J0E00AVSNH9ETG0 () vms043 mailsrvcs net> for
 xxxxxxx () verizon net; Mon, 05 Jun 2006 15:55:58 -0500 (CDT)
Received: from raptor.net (83.145.66.70)
 by sv12pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW)
 with  SMTP id <5-25035-180-25035-2228-2-1149540957> for
vms043pub.verizon.net;
 Mon, 05 Jun 2006 15:55:58 -0500
Date: Mon, 05 Jun 2006 22:52:40 +0100
From: "Gil.novak" <xxxxxx () verizon net>
Subject: 586876
X-Originating-IP: [83.145.66.70]
To: "xxx.xxxx" <xxxxxx () verizon net>
Message-id: <ayoznyepbslfqdlqblr () verizon net>
MIME-version: 1.0
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7bit



-----Original Message-----
From: xxx.xxxx [mailto:xxx.xxxx () verizon net]
Sent: Monday, June 05, 2006 5:53 PM
To: xxx.xxxx
Subject: 586876


969



-------------------- END EMAIL ---------------------

Is this just another instance of spammers fishing for legit addresses?
If so, then why the hell are they sending email from invalid addresses?
I can dig into this a lot further if I need to, but I wanted to see if
anyone else had any ideas about it first.  Thanks in advance!!!


-Simon


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think it's out now, but in case you haven't heard, jesse gough of security focus, said this was "a new Tooso/Beagle variant released a few days ago. It appears to be retrieving lists of email addresses and spamming them, and if the spam attempt does not result in an SMTP error, it will save the address to a "known-good" list and eventually upload that to a remote location. The numbers in the subject and body are randomly selected from a small hardcoded list (2 choices for the subject, 5 for the body). Nothing to indicate the significance of the specific numbers chosen, however." 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: