Spam detection software, running on the system "gravel.int.jammed.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ By Dan Goodin in San Francisco The Register 12th October 2010 For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates. [...] Content analysis details: (6.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: seizemed.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: yourrulers.com] 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: yourrulers.com] 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: crashcoursecomputing.com] 1.4 SARE_ADULT2 BODY: Contains adult material 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: seizemed.com] 0.3 DRUGS_ERECTILE Refers to an erectile drug 1.8 MISSING_SUBJECT Missing Subject: header -0.0 NO_RECEIVED Informational: message has no Received headers -5.0 AWL AWL: From: address is in the auto white-list The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.
attached mail follows:
http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ By Dan Goodin in San Francisco The Register 12th October 2010 For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates. The 1,025 unique websites -- which include seizemed.com, yourrulers.com, and crashcoursecomputing.com -- push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking. The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that 131.107.202.197 and 131.107.202.198 -- which are both registered to Microsoft - are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites. The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware. [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/Received on Tue Oct 12 2010 - 23:36:36 PDT
This archive was generated by hypermail 2.2.0 : Tue Oct 12 2010 - 23:48:35 PDT