RE: Strange mail with number in subject line and body

["Shaffer, Bruce" <security () stsgi com>]

We've seen enough that I sent out a warning to all users in my domain to
delete.  It seems that the source mail server is being spoofed as well
as the source address.  My analysis shows each e-mail having a separate
source address coming from all over the US and Amsterdam, I didn't see
any other countries represented.  Tracing several messages from the time
they come into the perimeter until they are ultimately delivered shows
no attachments or links, just the numbers.  I don't have the facilities
to capture the messages intact as they come in to do a full
reconstruction before they get to the mail defenses so, I would bow to a
full byte by byte analysis to show that the messages are indeed "clean".
The only reasons I can think of for these e-mails are either new malware
is being field tested, (zombies?), someone's probes have gone awry or
someone is building a list of valid e-mails.  If you shotgun e-mails at
a domain and remove any e-mails addresses that return an NDR and you are
left with a list of addresses that have some confidence of being real.

Can someone check in who has been able to do a complete analysis of the
mail?
-B-


-----Original Message-----
From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com] 
Sent: Tuesday, June 06, 2006 1:44 AM
To: incidents () securityfocus com
Subject: Strange mail with number in subject line and body

We have received a few strange emails (from Korea and France) which
lists a three character number in the subject line and a different
three digit character number in the body, no attachments.

The sender (from field) has been spoofed and displays the receivers
name (to field).

I did a search on google but could not find any further information.
Has any seen or know where/why these emails are being received?  Maybe
a sdbot infection on zombie PC?

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las
Vegas. 
World renowned security experts reveal tomorrow.s threats today. Free of

vendor pitches, the Briefings are designed to be pragmatic regardless of
your 
security environment. Featuring 36 hands-on training courses and 10
conference 
tracks, networking opportunities with over 2,500 delegates from 40+
nations. 

http://www.blackhat.com
------------------------------------------------------------------------
------


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------