spamgourmet 'send from address' used to distribute virus!?

Use this forum to get help.

spamgourmet 'send from address' used to distribute virus!?

Postby username » Wed Mar 03, 2004 1:30 am

i just received an e-mail containing a version of the "W32.Beagle.A@mm" virus. i was within an attachment called MoreInfo.pif. here are the headers:

X-Apparently-To: XXXXXXXXXXXXX@yahoo.com via 216.136.172.58; Tue, 02 Mar 2004 17:22:09 -0800
Return-Path: <jqh1@gourmet.spamgourmet.com>
Received: from 216.218.230.146 (EHLO gourmet.spamgourmet.com) (216.218.230.146) by mta159.mail.scd.yahoo.com with SMTP; Tue, 02 Mar 2004 17:22:09 -0800
Received: from gourmet.spamgourmet.com (localhost [127.0.0.1]) by localhost (8.12.10/8.12.9) with ESMTP id i231M9BH017890 for <XXXXXXXXXXXXXXX@yahoo.com>; Tue, 2 Mar 2004 17:22:09 -0800
Received: (from jqh1@localhost) by gourmet.spamgourmet.com (8.12.10/8.12.10/Submit) id i231M9xW017889 for XXXXXXXXXXXXXXXXX@yahoo.com; Tue, 2 Mar 2004 17:22:09 -0800
Received: from Teresa (arh2185.urh.uiuc.edu [130.126.70.97]) by gourmet.spamgourmet.com (8.12.10/8.12.9) with SMTP id i231M7BI017859 for <uberprofile.x.username@spamgourmet.com>; Tue, 2 Mar 2004 17:22:08 -0800
Date: Tue, 02 Mar 2004 19:21:50 -0600
To: uberprofile.x.username@spamgourmet.com
Subject: E-mail account disabling warning. (uberprofile: message 4 of 20)
From: +uberprofile+username+59fb74af74.admini ... ourmet.com Add to Address Book
Message-ID: <csmiplmbxyvpgobqrvh@spamgourmet.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------qqoqxugqymjmpdyfgvyi"
Content-Length: 11909


the body of the message:
Hello user of Spamgourmet.com e-mail server,

Some of our clients complained about the spam (negative e-mail
content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions.

Further details can be obtained from attached file.

Kind regards,
The Spamgourmet.com team
http://www.spamgourmet.com

------------------------------------------
has anyone else received this? is this a solid spoof and a threat?
username
 

Postby josh » Wed Mar 03, 2004 1:33 am

We haven't sent anything like that. Looks like a virus that is a little smarter than average.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby SysKoll » Wed Mar 03, 2004 4:09 am

This didn't come from SG. Here is the culprit:
Code: Select all
Received: from Teresa (arh2185.urh.uiuc.edu [130.126.70.97]) by gourmet.spamgourmet.com


What I fing great is that the wording specifically targetted spamgourmet accounts. It means that SG is pissing off spammers so much they want to take revenge. Good!

As for the W32.Beagle.A@mm virus, it is not terribly dangerous, considering it should disable itself after Jan. 28, 04. That said, don't double-click on the attachment!
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby ebuleheb » Wed Mar 03, 2004 12:47 pm

It's not targetted at Spamgourmet. It targets any e-mail service and puts the name of the service in the mail (i.e. The <anything> team). I have heard of it for at least Fastmail.fm and Myrealbox.com.
ebuleheb
 
Posts: 40
Joined: Thu Aug 28, 2003 6:31 pm

Postby SysKoll » Wed Mar 03, 2004 3:43 pm

Not targetting at SG specifically? Darn, there go my delusions.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

more info

Postby username » Wed Mar 03, 2004 5:15 pm

i think this is even a little worse|malicious because the sender is trying to use the 'send from a disposable address' feature syntax. they seem to have screwed it up because it didn't format correctly and instead of showing a name as the sender it displayed:

+uberprofile+username+59fb74af74.administration#spamgourmet.com.boundary=--------qqoqxugqymjmpdyfgvyi@spamgourmet.com

if anyone at spamgourmet wants me to forward it to investigate further feel free to contact me. spamgourmet username is username
username
 

Postby mr.ska » Mon Mar 08, 2004 6:23 pm

I just received an e-mail that had the exact same wording, except the attachment was Document.pif. I was almost suckered, as it quoted a disposable e-mail address that I did generate, but the .PIF extension on the attachment tipped me off and I deleted it.

I sincerely hope no one else is fooled. Those damnable hacks are getting craftier all the time. I really wish there was a "zap sender" button... sigh.

mr.ska
mr.ska
 

Same here - a scam - but I guarentee you some will fall for

Postby Guest » Thu Mar 11, 2004 2:07 am

Here is the junk email I just now got. They got my SG addy from Google newsgroups. You all, SG, need to ASAP post a warning on your webpage!:

Date: Wed, 10 Mar 2004 10:12:07 -0800
From: <--------rurwosyqnnuavsmhiwnt@sPAMGOURMET.COM>
[ Add to Address Book | Block Address | Report as Spam ]

Subject: Email account utilization warning. (newgroups: message 3 of 10)


Dear user of e-mail server "SPAMGOURMET.COM",

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

Pay attention on attached file.

For security reasons attached file is password protected. The password is "01743".

Sincerely,
The SPAMGOURMET.COM team http://www.sPAMGOURMET.COM





Attachment: MoreInfo.zip (17 KB) [ Download ]
Guest
 

Postby SysKoll » Thu Mar 11, 2004 1:47 pm

I certainly hope that nobody is naive enough to think that the SG team would send this kind of messages. Not to mention that Josh speaks English, contrary to the guy who wrote the message text. He sounds like Piotr of UserFriendly.org (http://ars.userfriendly.org/cartoons/?id=19990111).
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm


Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 20 guests

cron