[Esd-l] Rash of new email attacks

Scott Taylor scott at dctchambers.com
Tue Dec 7 12:09:51 PST 2004 

Hey!  Is this mail list still going?  So quiet.

Lately I've been seeing a lot of new email attacks, where the email looks
like a bounce from another server and really strange, even SPAMCop thinks
it's a bounce.

This is what it looks like:

<snippit>
This mail was generated automatically.
More info about --PAIDFORSURF-- under: http://www.paidforsurf.com

-------
Occured_Errors:

120.211.252.6_failed_after_I_sent_the_message.
# 509: mailbox_unavailable

End
-------

The full mail is attached.

Auto_Mail.System: [paidforsurf]


*-*-* Anti_Virus: No Virus was found
*-*-* INLANDRESTAURANTS- Anti_Virus Service
*-*-* http://www.inlandrestaurants.com

</snippit>

and the headers:
<headers>
Return-Path: <info at paidforsurf.com>
Received: from inlandrestaurants.com ([24.71.60.217])
     by skot.skot.org (8.12.11/8.12.11) with ESMTP id iB73gIU4020760
     for <scott at skot.org>; Mon, 6 Dec 2004 19:42:19 -0800
Received: from ftskeo.com ([24.70.99.145])
     by inlandrestaurants.com (8.12.11/8.12.10) with SMTP id iB73g4MH020617;
     Mon, 6 Dec 2004 19:42:05 -0800
From: info at paidforsurf.com
To: Electronic_Mail at inlandrestaurants.com
Date: Tue, 07 Dec 2004 03:38:28 GMT
Subject: FwD: Faulty_mail delivery <SMTP:5998>
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <c3fbb82bfcfb36319e at paidforsurf.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=7df17030ea8.474a7bb35edfa0d"
Content-Transfer-Encoding: 7bit

</headers>

Then there is a file attached to it, obviously a virus:
auto__mail.paidforsurf6848.eml.bat

I happen to know that Inland has no email protection, because I asked them
many times if I could install procmail and they keep turning me down.  Is
there something wrong with their mail server or maybe someone on their
network has a virus (like that never happens)?

This header does look like it came from Inland, the IP address belongs to
the mail server and it also acts as an Internet gateway.

Any insite?

I hope I gave you enough info, if not, just ask.

Cheers.

--
Scott

More information about the esd-l mailing list