| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Sat Jul 21, 2007 2:47 pm Post subject: Something new: Excel sheet st0x spams |
 |
|
Hm, couldn't believe my eyes when I saw that pile of messages barely containing more than *.xls attachments. No it's not another exploit, but really a new flavour of st0x spam. It occurs to me that spammy figured out *.pdf has already been widely blocked.
The offending attachment contains the following payload:
| Quote: |
INVEST IN EXCHANGE MOBILE (Frankfurt: EM1)z
Exchange Mobile Begins Negotiations with Educational authorities in Liaoning Province, PRC.
Wednesday July 18, 8:30 am ET
Company Name:
Ticker Symbol:
Friday Close:
ISIN:
3-Day Target:
WKN:
5-Day Target:
10-Day Target:
Exchange Mobile
Frankfurt: EM1
US3013051087
ADD EM1 TO YOUR PORTFOLIO TODAYF
DISCLAIMER: This is not an offer to buy or sell any security. Deutche Stock Trader Press discloses that they were paid ten thousand Euros for distribution of this report. This report contains forward-looking statements. Please do due diligence before investing in any company. Best of luck to you in the markets this morning!
VANCOUVER, July 18 /PRNewswire-FirstCall/ - Arshad Shah, President and CEO of Exchange Mobile Telecommunications Corp. (Frankfurt: EM1), announced today, on behalf of the Board of Directors, that Exchange Mobile has retained a consultant to conduct negotiations with the provincial authorities of Liaoning Province and the numerous school boards within the province, for the deployment of its Parent Teacher Message Exchange (PTMX) mobile application.
PTMX is a part of the Mobile Application Suite for the Education Sector and will enable parents and teachers to regularly exchange information concerning student attendance and performance without using the student as the teacher's messenger.
8 million students in Liaoning Province of China.
There are more than 300 million students in China (primary, middle, & high school), of which more than 8 million are in Liaoning Province.
Greater involvement of parents in education is a clear priority for both families and schools, but accomplishing this requires a committed two-way communication structure to support the parent-school partnership. |
Some techical details:
the sheet was written with MS Office 2003 by the user mobile
on June 20th at 19:17:50 CEST. Last changes were made at 21:11:51 CEST on the same day.
Email headers:
| Quote: |
Return-Path: <Graettingerhsau@ncas.ac>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 21 Jul 2007 15:03:55 -0000
Received: from unknown.axione.fr (EHLO unknown.axione.fr) [85.14.154.79]
by mx0.gmx.net (mx098) with SMTP; 21 Jul 2007 17:03:55 +0200
Received: by 10.31.216.20 with SMTP id cvjmDdDpjKdkW;
Sat, 21 Jul 2007 17:04:51 +0200 (GMT)
Received: by 192.168.59.2 with SMTP id koUCCMGrZboKkp.1163313238425;
Sat, 21 Jul 2007 17:04:49 +0200 (GMT)
Message-ID: <000c01c7cba8$7a257d50$4f9a0e55@david000bzyw4t>
From: "soheb Graettinger" <Graettingerhsau@ncas.ac>
To: <spamtrap>
Subject: Emailing: new account.xls
Date: Sat, 21 Jul 2007 17:04:46 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_01C7CBB9.3DAE4D50" |
Email body:
| Quote: |
The message is ready to be sent with the following file or link attachments:
new account.xls
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. |
Attachment is named.......
new account.xls of course 
There are more in the queue, I'll check and post them one by one then.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
 |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 21, 2007 3:04 pm Post subject: |
|
|
Round two 
Mail headers:
| Quote: |
Return-Path: <holstfpt@sotrabluesclub.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 21 Jul 2007 15:40:47 -0000
Received: from cp654138-c.tilbu1.nb.home.nl (EHLO cp654138-c.tilbu1.nb.home.nl) [84.24.161.68]
by mx0.gmx.net (mx003) with SMTP; 21 Jul 2007 17:40:47 +0200
Received: by 10.73.115.204 with SMTP id jKyqyMGHsIfkf;
Sat, 21 Jul 2007 17:40:48 +0200 (GMT)
Received: by 192.168.164.78 with SMTP id AgzxyQGnutJodq.7421778737687;
Sat, 21 Jul 2007 17:40:46 +0200 (GMT)
Message-ID: <001101c7cbad$7fbfb780$44a11854@CP654138C>
From: "Manjeet holst" <holstfpt@sotrabluesclub.com>
To: <spamtrap>
Subject: Emailing: stock information-31136.xls
Date: Sat, 21 Jul 2007 17:40:43 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01C7CBBE.43488780" |
Mail body:
| Quote: |
The message is ready to be sent with the following file or link attachments:
stock information-31136.xls
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. |
The payload stock information-31136.xls is identical to the previous one including its technical details
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 21, 2007 3:22 pm Post subject: |
|
|
Mail headers:
| Quote: |
Return-Path: <Founenicq@cbcag.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 21 Jul 2007 20:00:00 -0000
Received: from 189-10-77-5.bsaco700.dsl.brasiltelecom.net.br (EHLO 189-10-77-5.bsaco700.dsl.brasiltelecom.net.br) [189.10.77.5]
by mx0.gmx.net (mx015) with SMTP; 21 Jul 2007 22:00:00 +0200
Received: by 10.224.137.231 with SMTP id GZoVcaMfLWBjG;
Sat, 21 Jul 2007 16:59:58 -0300 (GMT)
Received: by 192.168.209.41 with SMTP id yDyzrwuYVkfQFX.0221526066957;
Sat, 21 Jul 2007 16:59:56 -0300 (GMT)
Message-ID: <000d01c7cbd1$b4111410$054d0abd@danijesus>
From: "Alezia Foune" <Founenicq@cbcag.com>
To: <spamtrap>
Subject: Emailing: finance news.xls
Date: Sat, 21 Jul 2007 16:59:53 -0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_01C7CBB8.8EC3DC10" |
Mail body:
| Quote: |
The message is ready to be sent with the following file or link attachments:
finance news.xls
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. |
Payload finance news.xls and technical details as the previous ones.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 21, 2007 3:32 pm Post subject: |
|
|
The last one from the mobile spammer:
Mail headers:
| Quote: |
Return-Path: <TonyaHeinrich@allsortshop.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 21 Jul 2007 20:56:21 -0000
Received: from 122.52.75.69.pldt.net (EHLO 122.52.87.182.pldt.net) [122.52.75.69]
by mx0.gmx.net (mx017) with SMTP; 21 Jul 2007 22:56:21 +0200
Received: from CPQ31353534830 ([139.136.35.139]:15781 "EHLO CPQ31353534830"
smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>)
by 122.52.87.182.pldt.net with ESMTP id S22DNPJUEOYQGHSE (ORCPT
<rfc822;[redacted]>);
Sun, 22 Jul 2007 04:56:36 +0800
Message-ID: <000701c7cbd9$8c331c10$b657347a@CPQ31353534830>
From: "Tonya Heinrich" <TonyaHeinrich@allsortshop.com>
To: <spamtrap>
Subject: Emailing: requested info.xls
Date: Sun, 22 Jul 2007 04:56:02 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0003_01C7CC1C.9A565C10" |
Mail body:
| Quote: |
The message is ready to be sent with the following file or link attachments:
requested info.xls
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. |
payload requested info.xls and technical details still the same as the previous ones.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 19 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sat Jul 21, 2007 5:46 pm Post subject: |
|
|
Interesting. That's one I haven't seen yet. I'm stll getting a lot of the ecard spams, and some PDF spams, but haven't gotten any with .xls attachments.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Sat Jul 21, 2007 9:06 pm Post subject: |
|
|
same with the ecards, they get kinda boring by now. same with the pdf. havent seen xls in my book yet.
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 22, 2007 1:14 pm Post subject: |
|
|
No more Excel sheets for today. Maybe spammy was just running a small scale experiment to see how well it gets delivered
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
ld
Warrior
Joined: 01 Mar 2005
Last Visit: 29 Jul 2010
Posts: 185
|
| Posted: Sat Jul 28, 2007 8:04 pm Post subject: |
|
|
| Today I received an email to a spam trap address with an empty subject and body. It has an attachment called market_sectors-6587040010.zip. Inside the zip is a file called 179831890.xls which contains your typical stock pump n dump advertisement. Like your excel sheet this one was created by the user mobile. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 29, 2007 12:17 pm Post subject: |
|
|
thanks for your follow-up. Interestingly, I've not seen any new excel sheet stock spams anymore.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
|
