[Tfug] Odd new spam relay method

Jon bigj at voipmogul.net
Sun Dec 7 17:04:33 MST 2014 

I can't say I recall ever seeing something like this.


On 2014-11-28 12:25, Adrian wrote:
> On Friday 28 November 2014 11:50:46 Jon wrote:
>> Never seen that before. I'd be curious to see what it looks like. Can 
>> you
>> post a sanitized version of it to the list?
>> 
> 
> 
> Drastically cut down it looks something like this:
> =======================================================
> Received: from firewall.compromised.host ([xxx.xxx.xxx.xxx]) by COL004-
> MC6F14.hotmail.com over TLS secured channel with Microsoft
> SMTPSVC(7.5.7601.22751);
> 	 Fri, 28 Nov 2014 08:37:09 -0800
> Received: from localhost ([127.0.0.1])
> 	by firewall.compromised.host with esmtp (Exim 4.69)
> 	(envelope-from <firewall at compromised.host>)
> 	id 1XuOXc-000754-J8
> 	for xxx at hotmail.com; Fri, 28 Nov 2014 10:37:08 -0600
> Message-ID: 
> <20481531.290491417192628593.JavaMail.firewall at compromised.host>
> Date: Fri, 28 Nov 2014 10:37:08 -0600 (CST)
> From: firewall at compromised.host
> To: xxx at hotmail.com
> Subject: Quarantine Digest
> Return-Path: firewall at compromised.host
> 
> <html>
>   <head>
>     <title>Quarantine Digest for xxx at hotmail.com</title>
>   </head>
> 
>   <body>
> 
>   <h3>Quarantine Digest for xxx at hotmail.com</h3>
> 
>   <a
> href="https://firewall.compromised.host:443/quarantine/manageuser?tkn=xxx&action=viewibx">Click
> here to access your spam quarantine.</a>
>   <br/>
>   The spam quarantine contains emails that are being held from your 
> email
> account.
>   <br/>
>   Quarantined emails can be released to your inbox or deleted using the 
> spam
> quarantine link.
> 
>   </body>
> </html>
> ==============================================
> 
> 
> This is off a small town's infrastructure. The compromised host is 
> within their
> DNS and seems to be an actual part of their network. Following the link 
> back
> to the host results in the quarantine box on their equipment, seems to 
> be a
> specific box to the message sent, not a common file across spams.
> 
> Hotmail received email:
> http://digitalturnip.net/software/pics/untangle_quarantine_spam1.jpg
> 
> Quarantine box on the compromised host:
> http://digitalturnip.net/software/pics/untangle_quarantine_spam2.jpg
> 
> 
> Adrian
> 
> 
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org

More information about the tfug mailing list