 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Thu May 14, 2009 2:10 am Post subject: Mugu mail as MS-Word document |
 |
|
It seems the 419er scammers have finally figured out that their stories make excellent filter fodder. At least one of them remembered the wave of st0x spams few years ago which were sent with the payload as attachment (preferably as pdf, but also commonly used MS-Office extensions) and had a go at using it for his own bidniz.
This here came just in and sneaked past the filters (not a spamtrap hit, thus munging is not necessery):
| Quote: |
Delivered-To: <user>@gmail.com
Received: by 10.216.26.143 with SMTP id c15cs323726wea;
Thu, 14 May 2009 00:35:18 -0700 (PDT)
Received: by 10.101.69.6 with SMTP id w6mr2719345ank.6.1242286516233;
Thu, 14 May 2009 00:35:16 -0700 (PDT)
Return-Path: <yu@gygrea.com> <--- GoDaddy hosted domain
Received: from smtpoutwbe11.prod.mesa1.secureserver.net (smtpoutwbe11.prod.mesa1.secureserver.net [208.109.78.27]) <-- GoDaddy MTA
by mx.google.com with SMTP id c14si3279447ana.32.2009.05.14.00.35.15;
Thu, 14 May 2009 00:35:16 -0700 (PDT)
Received-SPF: neutral (google.com: 208.109.78.27 is neither permitted nor denied by domain of yu@gygrea.com) client-ip=208.109.78.27;
Authentication-Results: mx.google.com; spf=neutral (google.com: 208.109.78.27 is neither permitted nor denied by domain of yu@gygrea.com) smtp.mail=yu@gygrea.com
Received: (qmail 2168 invoked from network); 14 May 2009 07:35:15 -0000
Received: from unknown (HELO localhost) (72.167.218.140)
by smtpoutwbe11.prod.mesa1.secureserver.net with SMTP; 14 May 2009 07:35:15 -0000
Received: (qmail 24440 invoked by uid 99); 14 May 2009 07:35:13 -0000
Content-Type: multipart/mixed;
boundary="=_af7dc795b85737ed714a84a92cba8bb8"
X-Originating-IP: 41.246.2.227
User-Agent: Web-Based Email 4.14.24
Message-Id: <20090514003513.102a91fc756aff95949677193d65a55f.946f5a593f.wbe@email04.secureserver.net>
From: "MRS ANGELA C. ELVIS " <mr.allenmohammed@gmail.com>
X-Sender: yu@gygrea.com
To:
Subject: Please open the attached file and get back to us
Date: Thu, 14 May 2009 00:35:13 -0700
Mime-Version: 1.0
--=_af7dc795b85737ed714a84a92cba8bb8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
<html><body><span style=3D"font-family:Verdana; color:#000000; font-size:10=
pt;"><br><br>Draw of South African 2010 World Cup <br>From Headquarters Cus=
tomer Services <br>No: 33 Cavendish Square London, W1G 0PW <br>United Kingd=
om W1G 0PW London<br><br>Dear winner,<br><br>Please open the attached file =
and get back to us for your claim of =C2=A3 800,000.00 Eight Hundred Thousa=
nd British pounds.<br><br>Mrs. Angela c. Elvis <br>ZONAL CORDINATOR.</span>=
</body></html>
--=_af7dc795b85737ed714a84a92cba8bb8
Content-Transfer-Encoding: base64
Content-Type: application/msword application;
name="LETTER.doc";
Content-Disposition: attachment;
filename="LETTER.doc"; |
I suppose this is some kind of lottery fraud and the "lucky winner" is to open the attached LETTER.doc file for learning about details (or win a malware ridden Windows installation and/or botnet recruitment for free). Mugu seems to have an account at Godaddy and sent this masterpiece via their servers using their webmail interface. Fortunately, their web frontend adds the ip-address of the original sender:
41.246.2.227 -> dsl-246-2-227.telkomadsl.co.za
| Quote: |
inetnum: 41.246.0.0 - 41.246.255.255
netname: IPNET-BROADBAND
descr: Telkom SA Limited
descr: Integrated Network Planning
descr: Private Bag X74
descr: Pretoria
descr: Gauteng
descr: 0001
country: ZA
admin-c: MST95-AFRINIC
tech-c: PB455-AFRINIC
tech-c: JDU24-AFRINIC
status: ASSIGNED PA
mnt-by: TELKOM-SA-IPNET-MNT
remarks: noc e-mail: <nnoc edd saix.net>, phone: +27-12-680-7569
remarks: abuse e-mail: <abuse add saix.net>, phone: +27-12-685-4209,fax: +27-12-685-4629
source: AFRINIC # Filtered
parent: 41.240.0.0 - 41.247.255.255 |
Ah, I've just seen that Godaddy acted lightening fast and have already suspended Mr. Mugu's sending domain  :
| Quote: |
Domain Name: GYGREA.COM
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com
Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 14-may-2009
Creation Date: 14-may-2009
Expiration Date: 14-may-2010 |
(note, Wild West Domains is a GoDaddy brand)
Mr Mugu's dropbox at mr.allenmohammed@gmail.com may still be functional, though. However, I doubt there are many people who will open the LETTER.doc file, as word documents are a known vector for email worms and all kind of malware.
O.
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
