[Tfug] Odd new spam relay method
Adrian
choprboy at dakotacom.net
Fri Nov 28 12:25:04 MST 2014
On Friday 28 November 2014 11:50:46 Jon wrote:
> Never seen that before. I'd be curious to see what it looks like. Can you
> post a sanitized version of it to the list?
>
Drastically cut down it looks something like this:
=======================================================
Received: from firewall.compromised.host ([xxx.xxx.xxx.xxx]) by COL004-
MC6F14.hotmail.com over TLS secured channel with Microsoft
SMTPSVC(7.5.7601.22751);
Fri, 28 Nov 2014 08:37:09 -0800
Received: from localhost ([127.0.0.1])
by firewall.compromised.host with esmtp (Exim 4.69)
(envelope-from <firewall at compromised.host>)
id 1XuOXc-000754-J8
for xxx at hotmail.com; Fri, 28 Nov 2014 10:37:08 -0600
Message-ID: <20481531.290491417192628593.JavaMail.firewall at compromised.host>
Date: Fri, 28 Nov 2014 10:37:08 -0600 (CST)
From: firewall at compromised.host
To: xxx at hotmail.com
Subject: Quarantine Digest
Return-Path: firewall at compromised.host
<html>
<head>
<title>Quarantine Digest for xxx at hotmail.com</title>
</head>
<body>
<h3>Quarantine Digest for xxx at hotmail.com</h3>
<a
href="https://firewall.compromised.host:443/quarantine/manageuser?tkn=xxx&action=viewibx">Click
here to access your spam quarantine.</a>
<br/>
The spam quarantine contains emails that are being held from your email
account.
<br/>
Quarantined emails can be released to your inbox or deleted using the spam
quarantine link.
</body>
</html>
==============================================
This is off a small town's infrastructure. The compromised host is within their
DNS and seems to be an actual part of their network. Following the link back
to the host results in the quarantine box on their equipment, seems to be a
specific box to the message sent, not a common file across spams.
Hotmail received email:
http://digitalturnip.net/software/pics/untangle_quarantine_spam1.jpg
Quarantine box on the compromised host:
http://digitalturnip.net/software/pics/untangle_quarantine_spam2.jpg
Adrian
More information about the tfug
mailing list