Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Curious "spam" (or broken viral payload)...

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Wed, 8 Jan 2003 14:44:11 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

        I deal with despamming quite a bit, so I like to think I've seen
it all by now.  Even so, this one has me flummoxed.

        The following e-mail (appended to the end of this note) arrived in
my mailbox with a currently-popular spam subject ("New concept of giving
for [userid]").  The body of the message was base64 encoded.  So I did my
ARIN lookup on the sender, began composing my complaint to the offending
ISP, and then decoded the base64 content. 

        That's where I stopped on a dime.  The message wasn't anything
remotely resembling a pitch.  In fact, it was a verbatim Apache error
message (listed following the appended e-mail).

        So, all things considered, am I:

        1.  looking at the output from a broken mail worm, or;
        2.  dealing with a second- or third-rate spammer who just doesn't
            know what the heck he's spewing out, or;
        3.  receiving an attempted spam mail through a broken web->mail
            gateway, or;
        4.  none of the above?

        Right now I'm leaning toward the likelihood of item #3 since the
mail headers have all the hallmarks of a spam message (forged From: data,
contemporary spam subject, base64 encoding), but the content just throws
me off.  It's obviously not a sales pitch and, near as I can see, is a
genuine Apache error report.  I guess with the proliferation of viral and
spam trickery with header data, the line between these two forms of
unsolicited bulk e-mail has blurred.

        As an aside, I went to the IP listed in the error and there is
such a server at that IP and it is running the listed Apache version.

        So what's the consensus?  Anyone else seen this in their inbox?

- -Jay

- -----BEGIN ATTACHED MESSAGE-----

Return-Path: <Verenash () mail-online dk>
Delivered-To: [redacted]
Received: (qmail 7586 invoked from network); 8 Jan 2003 15:05:16 -0000
Received: from ca-yuccavalley2a-187.vnnyca.adelphia.net (HELO tboeokc) (68.66.228.187)
  by mail.treachery.net with SMTP; 8 Jan 2003 15:05:16 -0000
From: Freda Craig <Verenash () mail-online dk>
To: [redacted]
Subject: New concept of giving for [redacted]
Date: Wed, 08 Jan 2003 07:14:19 -0800
Content-Type: text/plain
Content-Transfer-Encoding: base64
Message-Id: <bclsobwt () mail-online dk>
Content-Length: 825

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4NCjxI
VE1MPjxIRUFEPg0KPFRJVExFPjUwMCBJbnRlcm5hbCBTZXJ2ZXIgRXJyb3I8L1RJVExFPg0K
PC9IRUFEPjxCT0RZPg0KPEgxPkludGVybmFsIFNlcnZlciBFcnJvcjwvSDE+DQpUaGUgc2Vy
dmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIG9yDQptaXNjb25maWd1cmF0aW9u
IGFuZCB3YXMgdW5hYmxlIHRvIGNvbXBsZXRlDQp5b3VyIHJlcXVlc3QuPFA+DQpQbGVhc2Ug
Y29udGFjdCB0aGUgc2VydmVyIGFkbWluaXN0cmF0b3IsDQogYXJyb0BhcnJvLnJ1IGFuZCBp
bmZvcm0gdGhlbSBvZiB0aGUgdGltZSB0aGUgZXJyb3Igb2NjdXJyZWQsDQphbmQgYW55dGhp
bmcgeW91IG1pZ2h0IGhhdmUgZG9uZSB0aGF0IG1heSBoYXZlDQpjYXVzZWQgdGhlIGVycm9y
LjxQPg0KTW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGlzIGVycm9yIG1heSBiZSBhdmFpbGFi
bGUNCmluIHRoZSBzZXJ2ZXIgZXJyb3IgbG9nLjxQPg0KPEhSPg0KPEFERFJFU1M+QXBhY2hl
LzEuMy4yMCBTZXJ2ZXIgYXQgMjA5LjUxLjE0Mi4xNDAgUG9ydCA4MDwvQUREUkVTUz4NCjwv
Qk9EWT48L0hUTUw+DQo=

- ----- END ATTACHED MESSAGE -----


- -----BEGIN DECODED CONTENTS-----

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>500 Internal Server Error</TITLE>
</HEAD><BODY>
<H1>Internal Server Error</H1>
The server encountered an internal error or
misconfiguration and was unable to complete
your request.<P>
Please contact the server administrator,
 arro () arro ru and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.<P>
More information about this error may be available
in the server error log.<P>
<HR>
<ADDRESS>Apache/1.3.20 Server at 209.51.142.140 Port 80</ADDRESS>
</BODY></HTML>

- ----- END DECODED CONTENTS -----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE+HKm/TqL/+mXtpucRAjsqAJ9bNiXDx9hsD/Ac77wXHBItOE/8vACggO4S
thbW3lsscYSmzc559Nk8GJo=
=0rWN
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: