Iran Nuclear spam

["E. Falk" <bs...@directrans.com>]

Anyone else been seeing a lot of these come in? The text includes a 
snippet about the Iran Nuclear situation and a link to a "full article". 
The article appears to have been pinched from elsewhere, but the page 
includes javascript which appears to use a buffer overflow to load a 
.hta file.

All the links end in votnews dot com - thankfully the uribl's kept this 
one from hitting my users. Just thought I'd throw out a warning since 
it's not just more political spam, there's a payload.

Evan

RE: Iran Nuclear spam

[Herb Martin <He...@learnquick.com>]

> From: E. Falk [mailto:bsd@directrans.com] 
> 
> Anyone else been seeing a lot of these come in? The text 
> includes a snippet about the Iran Nuclear situation and a 
> link to a "full article". 
> The article appears to have been pinched from elsewhere, but 
> the page includes javascript which appears to use a buffer 
> overflow to load a .hta file.
> 
> All the links end in votnews dot com - thankfully the uribl's 
> kept this one from hitting my users. Just thought I'd throw 
> out a warning since it's not just more political spam, 
> there's a payload.

I just saw it in the SA catch account 
(SA caught it at 37.1 points.)

Subject was about Iran/Nuclear but From: looked
to be a job search -- the mismatch and SA score
were enought for me so I approved the catch and
didn't look further.

So it's a HTA buffer overflow, disguised as a Job
spam, disguised as a Political?

This strategy of multi-levels of disguise  is 
intriguing -- I have only seen it personally a few
times.

--
Herb Martin