You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2009/04/10 14:00:35 UTC

poor phisher has nimda?

just when you thought nimda was dead !

A couple of interesting things in this spam, including the use of some 
<span class=SpellE>First</span><span Class=SpellE>last</span>

<http://pastebin.com/m3c5544f7>

(lots of them) almost like the '[]' block art ED adds of last week.

also, the email ends in:

</html>
<html>
<scripts.....>

(shouldn't a multi line rawbody check, or a plugin html check score 
something that has a <html> AFTER the closing </html>?

and then there is the nimda looking stuff, where it tries to pop open a 
readme.eml .

so, what is it trying to do, bank of america phishing?  phishing along 
with nimda?


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________