Security Incidents mailing list archives

Re: Massive increase in spam volume?

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Sun, 25 Apr 2004 23:00:05 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 24 Apr 2004, Thamer Al-Harbash wrote:

I work at a large ISP in Canada and just a few hours ago we've
experienced a massive increase in spam volume. The volume is so high
it's bordering on being a denial of service attack.

Does anyone know if there's a worm out in the wild currently doing this?
I've confirmed with some of my collegues that other ISPs are also
experiencing this.

I'm interested in finding specific netblocks but the spam seems to be
coming from everywhere.


        I'd say you're seeing the first wave of what appears to be a new
worm.  Earlier this evening I received about 20 copies of the same message
(same subject, same body, different senders) which was titled, "Osama bin
Laden found!" and listed a URL (http://220.95.231.54/pics/).

        Being naturally curious (and even more naturally paranoid), I went
to the URL...but not with my browser.  What I snagged was an obfuscated
Javascript page which -- from what I could decipher at a glance -- was
some kind of spam pitch for cheap prescription drugs.  I didn't bother
looking for a malicious payload after that.

        So what we have here could be a worm that spews spam.  This sort
of thing will pretty much render the idea of blackholing netblocks useless
now, since unpatched Windows system are everywhere.

        That's my take.  I look forward to hearing about what others have
seen land in their inboxes.

- -Jay

  (    (                                                         _______
  ))   ))  .--"There's always time for a good cup of coffee."--.  >====<--.
C|~~|C|~~| )>------ Jay D. Dyson - jdyson () treachery net ------<( |    = |-'
 `--' `--' `-If you wanna make God laugh, tell him your plans.-' `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFAjKVp6uxsHJ5aYG4RAsRGAJ484Fe0Rp1i+d/yt3yAnDPPRoSvwACcC8I0
aSmguv2f7zEF4hky8xDx6D4=
=ZZ/E
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Massive increase in spam volume? Thamer Al-Harbash (Apr 25)
- Re: Massive increase in spam volume? Ken Budd (Apr 25)
  - Re: Massive increase in spam volume? Vinod Kumar (Apr 26)
  - RE: Massive increase in spam volume? Bojan Zdrnja (Apr 26)
- Re: Massive increase in spam volume? TML (Apr 26)
- Re: Massive increase in spam volume? Josh Tolley (Apr 26)
  - RE: Massive increase in spam volume? James C Slora Jr (Apr 26)
- Re: Massive increase in spam volume? Jay D. Dyson (Apr 26)
  - Re: Massive increase in spam volume? Niek (Apr 26)
  - Re: Massive increase in spam volume? 'Osama Captured' e-Mail is Malicious Trojan webdevi (Apr 26)
  - Re: Massive increase in spam volume? Don Wilder (Apr 26)
- Re: Massive increase in spam volume? David M. Dinner (Apr 27)
- <Possible follow-ups>
- RE: Massive increase in spam volume? Tom . Marchand (Apr 26)
- RE: Massive increase in spam volume? Garneau . Marie-Josee (Apr 26)
- FW: Massive increase in spam volume? Andy Streule (Apr 27)
- RE: Massive increase in spam volume? Steven Trewick (Apr 27)
  - RE: Massive increase in spam volume? Thamer Al-Harbash (Apr 30)