Gerade geht ein neue Attacke los

microdigi_94fc1e · 9. November 2019 um 01:36

Die Nachrichten purzeln minutenweise ins Postfach der SuSE-security.
Ich bin dort Mitglied, deshalb bin ich auf dem auto-verteiler.
Die Links ja nicht anklicken !,
sie wurden von mir auch nicht-klickbar gemacht.
________________________________________________________________
Its a testrun for a spam attack probably.
Seems like someone is trying out their brand new spamattack tool.
(Same type of message, different sender)
I suspect we can look forward to several more of these kinds, and probably
later loaded with links or viruses (aimed for the MS menace Outlook and
Outlook Express)
________________________________________________________________

Betreff: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales . microbazaar.com) $175.85 USD using PayPal
Von: „PayPal“ ins Adressbuch
An: suse-security . suse.com
Datum: 09.09.05 19:13:39

Unlike so many dilettantes who have made their feline class action suit to us.Sometimes earring of wheelbarrow takes a coffee break, but ballerina for always approach defined by cream puff!For example, debutante living with indicates that deficit toward seek necromancer behind.Marylou, the friend of Marylou and hides with lover over fairy.When you see living with bride, it means that philosopher around ruminates.When of toothache laughs out loud, wheelbarrow related to toothache hibernates.
_______________________________________

> >From: PayPal [mailto:zjdzaoveykwuqz . mail15.com]
> >Sent: Friday, September 09, 2005 2:57 PM
> >To: suse-security . suse.com
> >Subject: [suse-security] SPAM: This email confirms that you paid
> >MICROBAZAR (sales . microbazaar.com) $175.85 USD using PayPal

> >wedding dress from mating ritual, over rattlesnake, and over turkey are
> >what made America great!Any gypsy can take a peek at spider over, but it
> >takes a real ribbon to inside lover.toward hockey player sell to dust
> >bunny living with tomato.
_________________________________________________________

Hinterw_ldler_37172f · 9. November 2019 um 01:37

Hallo microdigi

Wenn ich das Problem richtig verstanden habe, betrifft diese Gefahr nur Anwender von Outlook und OjE. Besonders Letzterer ist ja speziell für die Weiterverbreitung von Malware aller Art programmiert worden.

Mich würde eher interessieren, ob es im Header der Mails eine X-Warning gibt und wenn ja welche. Wenn dieser richtig formuliert ist, dürften die meisten Provider diesen Müll schon automatisch sortieren und entsorgen. Anders ist das bei eigenen Mailservern. Dort besteht dann eine echte Gefahr.

der hinterwäldler

microdigi_94fc1e · 9. November 2019 um 01:37

your whish is my command (technisch)
Hallo Manfred…
Die ‚Payload‘ wurde offensichtlich bereits bei/von suse entfernt.
Aber -wie Du siehst- der Spam geht kontinuierlich weiter.
Wie das nun mal so ist, wenn man (clever!) am späten Freitag abends so’n Ding losläßt; dann sind halt die Admins erst mal bis Montag morgens nicht da.
Natuerlich hab ich weder ebay noch paypal jemals angefasst.
(urls nicht-klickbar gemacht).

___________________________________________
Betreff: Re: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales . microbazaar.com) $175.85 USD using PayPal
Von: Anders Johansson ins Adressbuch
An: suse-security . suse.com
Datum: 10.09.05 11:49:04

üblicher Header

Received: from [195.135.221.131] (helo=lists.suse.com)
by mx08.web.de with smtp (WEB.DE 4.105 #297)
id 1EE1yl-0003Do-00
for microdigi . web.de; Sat, 10 Sep 2005 11:48:59 +0200
Received: (qmail 799 invoked by alias); 10 Sep 2005 09:48:51 -0000
Mailing-List: contact suse-security-help . suse.com; run by ezmlm
Precedence: bulk
List-Post:
List-Help:
List-Unsubscribe:
List-Subscribe:
X-MIME-Notice: attachments may have been removed from this message
X-Mailinglist: suse-security
X-Message-Number-for-archive: 25896
Delivered-To: mailing list suse-security . suse.com
Received: (qmail 788 invoked from network); 10 Sep 2005 09:48:50 -0000
From: Anders Johansson
To: suse-security . suse.com
Date: Sat, 10 Sep 2005 11:51:11 +0200
User-Agent: KMail/1.8.2
References:
In-Reply-To:
MIME-Version: 1.0
Content-Type: text/plain;
charset=„iso-8859-1“
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id:
X-Virus-Scanned: by amavisd-new at Relay2.suse.de
X-Spam-Status: No, hits=0.0 tagged_above=-20.0 required=5.0 tests=BAYES_50
X-Spam-Level:
Subject: Re: [suse-security] SPAM: This email confirms that you paid MICROBAZAR (sales . microbazaar.com) $175.85 USD using PayPal
Sender: suse-security-return-25896-microdigi=web.de . suse.com

On Saturday 10 September 2005 11:37, Rikard Johnels wrote:
> Haven’t bothered with checking the headres to see if the originating sender
> is a subscribed user

Only the envelope sender needs to be subscribed, and only the suse list admin
can see that. The mail sent out to subscribers have all that info stripped
out

> As i was saying, the mail is a testrun to be able so see if the mails get
> through to the list users. Thus „only“ random, almost coherent texts.
> The next is probably some stupid „click here“ link or something.
> Or even a virus/trojan aimed at MS.

The random text is an old trick to get past antispam programs. My guess is
that it originally had an attachment with some virus or whatever that they
hoped the user would click.

SUSE’s list server of course strips off all attachments, so we never saw it.

At least that’s my uneducated guess

–
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help . suse.com
Security-related bug reports go to security . suse.de, not here

[Bei dieser Antwort wurde das Vollzitat nachträglich automatisiert entfernt]