You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "E. Falk" <bs...@directrans.com> on 2005/08/09 17:58:22 UTC
Iran Nuclear spam
Anyone else been seeing a lot of these come in? The text includes a
snippet about the Iran Nuclear situation and a link to a "full article".
The article appears to have been pinched from elsewhere, but the page
includes javascript which appears to use a buffer overflow to load a
.hta file.
All the links end in votnews dot com - thankfully the uribl's kept this
one from hitting my users. Just thought I'd throw out a warning since
it's not just more political spam, there's a payload.
Evan
RE: Iran Nuclear spam
Posted by Herb Martin <He...@learnquick.com>.
> From: E. Falk [mailto:bsd@directrans.com]
>
> Anyone else been seeing a lot of these come in? The text
> includes a snippet about the Iran Nuclear situation and a
> link to a "full article".
> The article appears to have been pinched from elsewhere, but
> the page includes javascript which appears to use a buffer
> overflow to load a .hta file.
>
> All the links end in votnews dot com - thankfully the uribl's
> kept this one from hitting my users. Just thought I'd throw
> out a warning since it's not just more political spam,
> there's a payload.
I just saw it in the SA catch account
(SA caught it at 37.1 points.)
Subject was about Iran/Nuclear but From: looked
to be a job search -- the mismatch and SA score
were enought for me so I approved the catch and
didn't look further.
So it's a HTA buffer overflow, disguised as a Job
spam, disguised as a Political?
This strategy of multi-levels of disguise is
intriguing -- I have only seen it personally a few
times.
--
Herb Martin