[Tfug] Odd new spam relay method

Adrian choprboy at dakotacom.net
Fri Nov 28 12:25:04 MST 2014 

On Friday 28 November 2014 11:50:46 Jon wrote:
> Never seen that before. I'd be curious to see what it looks like. Can you
> post a sanitized version of it to the list?
> 


Drastically cut down it looks something like this:
=======================================================
Received: from firewall.compromised.host ([xxx.xxx.xxx.xxx]) by COL004-
MC6F14.hotmail.com over TLS secured channel with Microsoft 
SMTPSVC(7.5.7601.22751);
	 Fri, 28 Nov 2014 08:37:09 -0800
Received: from localhost ([127.0.0.1])
	by firewall.compromised.host with esmtp (Exim 4.69)
	(envelope-from <firewall at compromised.host>)
	id 1XuOXc-000754-J8
	for xxx at hotmail.com; Fri, 28 Nov 2014 10:37:08 -0600
Message-ID: <20481531.290491417192628593.JavaMail.firewall at compromised.host>
Date: Fri, 28 Nov 2014 10:37:08 -0600 (CST)
From: firewall at compromised.host
To: xxx at hotmail.com
Subject: Quarantine Digest
Return-Path: firewall at compromised.host

<html>
  <head>
    <title>Quarantine Digest for xxx at hotmail.com</title>
  </head>

  <body>

  <h3>Quarantine Digest for xxx at hotmail.com</h3>

  <a 
href="https://firewall.compromised.host:443/quarantine/manageuser?tkn=xxx&action=viewibx">Click 
here to access your spam quarantine.</a>
  <br/>
  The spam quarantine contains emails that are being held from your email 
account.
  <br/>
  Quarantined emails can be released to your inbox or deleted using the spam 
quarantine link.
  
  </body>
</html>
==============================================


This is off a small town's infrastructure. The compromised host is within their 
DNS and seems to be an actual part of their network. Following the link back 
to the host results in the quarantine box on their equipment, seems to be a 
specific box to the message sent, not a common file across spams.

Hotmail received email:
http://digitalturnip.net/software/pics/untangle_quarantine_spam1.jpg

Quarantine box on the compromised host:
http://digitalturnip.net/software/pics/untangle_quarantine_spam2.jpg


Adrian

More information about the tfug mailing list