New type spam email ...

[muckshifter]

from SANS:

Published: 2006-06-06,
Last Updated: 2006-06-06 12:31:16 UTC by Swa Frantzen (Version: 1)

A new twist in spammer tactics is being reported, although we're not sure what their goal is at the moment.

Users report receiving messages apearing to originate from themselves, with only numbers as subject and body.

The body does apears to be HTML encoded, but it's so basic as to not pose a threat so far.

It would be a good idea to investigate if you can drop email that apears to be from your own organization while originating outside of it. If your users do not send such email (e.g. because they use a VPN to connect back to the inside while on the road), dropping that email might cut down on a few spams.

An example ...

Return-path: <******@shaw.ca>
 Received: from pd7mr2no.prod.shaw.ca
  (pd7mr2no-qfe3.prod.shaw.ca [10.0.144.129]) by l-daemon
  (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
  with ESMTP id <0J0F003K4B62XD@l-daemon> for ******@shaw.ca; Mon,
  05 Jun 2006 23:27:38 -0600 (MDT)
 Received: from pd7mi2no.prod.shaw.ca ([10.0.149.115])
  by pd7mr2no.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar
  15 2004)) with ESMTP id <[email protected]> for
  ******@shaw.ca (ORCPT ******@shaw.ca); Mon,
  05 Jun 2006 23:27:38 -0600 (MDT)
 Received: from Lenny.com ([210.19.250.57])
  by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
  with SMTP id <0J0F002I0B5XNTN0@l-daemon> for ******@shaw.ca; Mon,
  05 Jun 2006 23:27:37 -0600 (MDT)
 Date: Tue, 06 Jun 2006 13:30:47 +0800
 From: ****** 
 Subject: 586876
 To: ****** <******@shaw.ca>
 Message-id: 
 MIME-version: 1.0
 Content-type: text/html; charset=us-ascii
 Content-transfer-encoding: 7bit
 Original-recipient: rfc822;******@shaw.ca
 X-Spam-Flag: Yes
 X-Spam-Level: 5/5

Body of the message ...

969

Anybody seen these yet ?? Please report in this thread ...

 

[floppybootstomp]

Yep, got one, '557'