 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Sun Jul 01, 2007 3:16 pm Post subject: st0x spam as pdf attachment |
 |
|
Honestly I anticipated it to hit my spam trap sooner or later, since it has already been discussed in NANAE here and here. The spam contains no body, just the attached pdf file. The file itself didn't seem to be harmful:
| Quote: |
[olliver@bunkiten tmp]$ pdfinfo document-ed1064e.pdf
Error (0): PDF file is damaged - attempting to reconstruct xref table...
Tagged: no
Pages: 1
Encrypted: no
Page size: 474 x 191 pts
File size: 16223 bytes
Optimized: no
PDF version: 1.3 |
Opening it just reveals the usual penny st0x we know so well...
Email headers:
| Quote: |
Return-Path: <yavqu@pegasus.cc.ucf.edu>
X-Flags: 1001
Delivered-To:<spamtrap>
Received: (qmail invoked by alias); 30 Jun 2007 02:05:19 -0000
Received: from tickets.rcom-ne.com (HELO tickets.rcom-ne.com) [66.168.129.5]
by mx0.gmx.net (mx003) with SMTP; 30 Jun 2007 04:05:19 +0200
Received: (qmail 25101 invoked from network); Fri, 29 Jun 2007 20:05:19 -0600
Received: from unknown (HELO nkxcw) (115.70.43.139)
by tickets.rcom-ne.com with SMTP; Fri, 29 Jun 2007 20:05:19 -0600
Message-ID: <4685BA5F.2030307@pegasus.cc.ucf.edu>
Date: Fri, 29 Jun 2007 20:05:19 -0600
From: Rebecca I. Beard <yavqu@pegasus.cc.ucf.edu>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: <spamtrap>
Subject: document-ed1064e.pdf attached
Content-Type: multipart/mixed;
boundary="------------080507000602070007040604" |
(emphasis added by me)
The spam was sent by this machine:
| Quote: |
[olliver@bunkiten tmp]$ host 66.168.129.5
5.129.168.66.in-addr.arpa domain name pointer bb.rcom-ne.com.
5.129.168.66.in-addr.arpa domain name pointer tickets.rcom-ne.com. |
Belongs to Charter and has already landed on many blacklists, but doesn't seem to accept connections to port 25 at the moment.
Olliver |
|
| Back to top |
|
 |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 01, 2007 4:33 pm Post subject: |
|
|
Another h0t st0x tip.
| Quote: |
Return-Path: <rtkoa@century21.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 01 Jul 2007 19:24:59 -0000
Received: from cazenovia.edu (HELO cazenovia.edu) [24.213.185.7]
by mx0.gmx.net (mx082) with SMTP; 01 Jul 2007 21:24:59 +0200
Received: (qmail 28946 invoked from network); Sun, 1 Jul 2007 15:24:57 -0400
Received: from unknown (HELO qnhgv) (107.94.194.48 )
by cazenovia.edu with SMTP; Sun, 1 Jul 2007 15:24:57 -0400
Message-ID: <4687FF89.7060605@century21.com>
Date: Sun, 1 Jul 2007 15:24:57 -0400
From: Cornelius <rtkoa@century21.com>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: <spamtrap>
Subject: Fwd: Bill_sjvjrefntpd.pdf
Content-Type: multipart/mixed;
boundary="------------020000020300070308020004" |
24.213.185.7 is a compromised machine somewhere in the Cazenovia College in NY:
| Quote: |
[ipmt.rr.com]
%rwhois V-1.5:003fff:00 ipmt-01.rr.com (by Network Solutions, Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:NETBLK-ISRC-24.213.160.0/19
network:Auth-Area:24.213.185.0/26
network:Network-Name:CAZENOVIA-COLLEGE-24.213.185.0
network:IP-Network:24.213.185.0/26
network:IP-Network-Block:24.213.185.0 - 24.213.185.63
network:Organization;I:CAZENOVIA-COLLEGE
network:Tech-Contact;I:ipaddreg @ rr.com
network:Admin-Contact;I:IPADD-ARIN
network:AbuseEmail:jlvandusen @ cazenovia.edu
network:Created:20070701
network:Updated:20070701
network:Updated-By:ipaddreg @ rr.com |
the PDF shows the same characteristics as the previous one:
| Quote: |
[olliver@bunkiten tmp]$ pdfinfo Bill_sjvjrefntpd.pdf
Error (0): PDF file is damaged - attempting to reconstruct xref table...
Tagged: no
Pages: 1
Encrypted: no
Page size: 345 x 217 pts
File size: 20121 bytes
Optimized: no
PDF version: 1.3 |
Olliver |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 18 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sun Jul 01, 2007 6:02 pm Post subject: |
|
|
I've been getting them also. Article here:
http://blogs.zdnet.com/security/?p=325
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
