('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.44.0305221541100.9229-100000at_private> Here is one of the source from one of the messages.. -------------------- <html><head>Username <title>deferent</title>Username</head><body><center> <a href="http://detractor:myopic@www%2e%6d%6frt%67ag%65l%6fw%72%61%74%65% 73.n%65%74/Lead3500/"> <img border="0" src="http://waldron:glance@www%2e%6d%6frt%67ag%65l%6fw%72% 61%74%65%73.n%65%74/p3X.jpg" width="427" height="252"> </a> </center> <p> <a href="http://lifeboat:presumption@www%2e%6d%6frt%67ag%65l%6fw%72%61%74% 65%73.n%65%74/Lead3500/remove.html">No mail!</a></p> </body></html> repugnantv lenxoa vcrd t iyompdfg ixsq gpqipvqr c micueh gwwiomh uatek e gfa ortdqvbu snkkdq b idhteyueq lcmf szkflu ---------------------- I have noticed the login prefixed to the URL it's trying to go to. I guess this isnt really an Intrusion attempt then? However, I have seen some that do not have those login prefixes, such as... ----------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="MSHTML 6.00.2800.1170" name=GENERATOR></HEAD> <BODY> <DIV> </DIV> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Wanetta [mailto:Lizziekuu@online-shop-exchange.com]<BR><B>Sent:</B> Sunday, May 25, 2003 6:54 PM<BR><B>To:</B> userat_private<BR><B>Subject:</B> Response requested<BR><BR></FONT></DIV><BR> <CENTER><IMG height=0 src="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.online-shop- exchange.com/image.asp?cmpid=vigrex-106.gif&dvn=1I1f4m)x(66Ef5m19wJ6L" width=0 NOSEND="1"> <BR><A href="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.online-shop- exchange.com/ctrack.asp?cmpid=vigrex-106&cvn=FNFSR8$iOss@S [8F=0,sz"><IMG src="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.stop-and-shop.net/vigrex- 106.gif" border=0 NOSEND="1"></A> <BR><BR><A href="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.online-shop- exchange.com/remove/remove.asp"><IMG src="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.stop-and-shop.net/unsub.gif" border=0 NOSEND="1"></A> </CENTER></BODY></HTML> ---------------------------- Should I be doing something in response to these types of spam. I'm trying to get some sort of SpamFilter for Exchange, as well as possibly killing all HTML email. I know I run into some serious opposition for the latter, everyone loves their pretty email, but I might have to draw the line somewhere. > >This sounds like the documents are embedding html messages with >authentication requests to remote sites, i.e. > >img src="spamuserat_private/some/image.foo">http://spamuserat_private/some/image.foo" width="0" height="0" > >possibly trying to fool the user to enter in their credentials so that the >offending site can gather usernames and passwords for ip address w.x.y.z. > >Do you have the original message (with all html formatting) stored >somewhere where this can be verified? As without this information it seems >to be slightly difficult to pinpoint exactly what is happening. > >Thanks, >Ryan Yagatich > > >,_____________________________________________________, >\ Ryan Yagatich supportat_private / Pantek Incorporated (877) LINUX-FIX / >\ http://www.pantek.com/security (440) 519-1802 / Are your networks secure? Are you certain? / >\___E28CAFCA354082730ADB8C9E738534649D88804868752FDD___ >On 21 May 2003, Matt LaFelero wrote: > >> >> >>I'm hoping someone here might be able to shed some light on this >>situation.. >> >>Some of my users have been getting some interesting spam mail. This is >>the first time I've ever seen a spam mail do this. When the user opens >>the spam mail, all of a sudden, an Internet Explorer authentication >>boxes pops up. You know those that ask for username, password, and >>domain. >> >>Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine is >>integrated so the user never sees this box or has to enter his/her >>password to get on the Web. >> >>It's strange that this email triggers the authentication box. What's >>even weirder is that it populates the username for them, with weird >>names. The names always seem to change from spam mail to spam mail. I've >>seen iterations like fluff, skank, morton, taxiway.. you name it. >> >>It seems most of the emails are HTML, which can explain a lot. None of >>them had attachments. From what I could gather it seems to attempting to >>load a site. We run Outlook 2000 with SP3 and all hotfixes. >> >>My question is, how is this happening and is it a threat? ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 27 2003 - 14:56:20 PDT