We've received numerous emails about this already today. This is an update to a diary we did earlier this week. The body of the spam today is: Dear user of the <some company> mailing service! We are informing you that because of the security upgrade of the mailing service your mailbox (<user>@<some company>) settings were changed. In order to apply the new set of settings click on the following link: The email contains a link with a file to download. Some of the files we have seen are: settings-file.exe MD5: 0244586f873a83d89caa54db00853205 settings-file2.exe MD5: e6436811c99289846b0532812ac49986 The files are being detected by some anti-virus software programs at this time as Zbot variants. Thanks Jon, Frank, iTinker, Nick and others for your reports on this. |
David 78 Posts Oct 14th 2009 |
Thread locked Subscribe |
Oct 14th 2009 1 decade ago |
We just received a large influx of these to our whole enterprise. We use Postini as spam filter and they caught them all.
---------------------------------- Received: from source ([213.21.97.141]) by eu1sys200amx117.postini.com ([207.126.147.14]) with SMTP; Thu, 15 Oct 2009 05:01:31 GMT Received: from 213.21.97.141 by mail-red.research.att.com; Thu, 15 Oct 2009 07:01:25 +0100 Message-ID: <000d01ca4d54$8bc16760$6400a8c0@lizapf5> From: "support@target-domain.com" <support@target-domain.com> To: <user@target-domain.com> Subject: A new settings file for the user@target-domain.com mailbox has just been released Date: Thu, 15 Oct 2009 07:01:25 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01CA4D54.8BC16760" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S: 0.00533/92.62311 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 3 (1.0000:1.0000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from <support@target-domain.com> [233/12] X-pstn-disposition: quarantine Date: Thu, 15 Oct 2009 07:01:25 +0100 From: "support@target-domain.com" <support@target-domain.com> To: <user@target-domain.com> Subject: A new settings file for the user@target-domain.com mailbox has just been released Dear user of the target-domain.com mailing service! We are informing you that because of the security upgrade of the mailing service your mailbox (user@target-domain.com) settings were changed. In order to apply the new set of settings click on the following link: http://target-domain.com/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user Best regards, target-domain.com Technical Support. ---------------------------------- One of our users came round very confused although when i explained that if we had emailed him (internal mail) it wouldn't go through the spam filter at all. |
Anonymous |
Quote |
Oct 15th 2009 1 decade ago |
I'm seeing a lot of these as well on my mail servers. Interestingly, not all of m domains are affected: only the ones in .com. I have domains in .ch and these are not affected. Also, sub-domains aren't targeted either.
|
Anonymous |
Quote |
Oct 15th 2009 1 decade ago |
The interesting thing is that the obfuscated URL in the HTML boundary partof the messages I have seen is http://target-domain.com.polikko.eu/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user
Note the addition of the .polikko.eu to the domain name ! |
Karl 14 Posts |
Quote |
Oct 15th 2009 1 decade ago |
As posted by Karl:
"Note the addition of the .polikko.eu to the domain name !" Actually they use a sub-domain of "polikko.eu". In the Text they only quote that sub-domain. So it has nothing to do with "target-domain .com" PS: I am the holder of the "target-domain .com" domain, and I can assure that this junk does originate elsewhere. This really is a pain in the butt :( |
Karl 1 Posts |
Quote |
Oct 15th 2009 1 decade ago |
Well, I, for one, have temporary filtered all mail containing the /owa/service_directory/settings.php?email= string as it seems to be the only common trail in all these mails. It's a temporary solution at best, since this string is easy to forge, but it's the only way I've found to really filter these out. Another option I'm persuing is to reject all mail coming in from a local address using the same rules as for mail relay. Unfortunately, my mail server doesn't allow this just yet.
|
Karl 16 Posts |
Quote |
Oct 15th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!