You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2007/12/12 22:20:39 UTC
"Virus found in this message", probe?
Anyone seen these? text/plain and HTML parts, seem to have same content,
saying there's a virus, please delete, and some gibberish. I'm guessing
it's some kind of probe.
Re: "Virus found in this message", probe?
Posted by Per Jessen <pe...@computer.org>.
Joseph Brennan wrote:
>
>
> The control node turned off the switch at 05:00 EST. They were still
> rolling in during the 04:00 hour but the last one was at 04:54. The
> customer's paid time on the botnet may have ended.
>
So far, we saw the last one at 2028UTC 14Dec.
/Per Jessen, Zürich
Re: "Virus found in this message", probe?
Posted by Joseph Brennan <br...@columbia.edu>.
The control node turned off the switch at 05:00 EST. They were still
rolling in during the 04:00 hour but the last one was at 04:54. The
customer's paid time on the botnet may have ended.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: "Virus found in this message", probe?
Posted by Loren Wilton <lw...@earthlink.net>.
> --On Wednesday, December 12, 2007 1:20 PM -0800 Kenneth Porter
> <sh...@sewingwitch.com> wrote:
>
>> Anyone seen these? text/plain and HTML parts, seem to have same content,
>> saying there's a virus, please delete, and some gibberish. I'm guessing
>> it's some kind of probe.
>
>
> Started today (based on reports to us)
>
> Varying senders. Comes from a botnet. Varying Subject but always one
> lower-case word or wordlike string (ogbomosho). Subject does repeat
> in different messages, but looks like too many to bother matching.
>
> Note the misspelling in the string:
> /Virus found in this message, please delete it without futher reading/
>
> The link *follows* </p></body></html>, and additionally there is nothing
> between the <a ...> and </a> tags. How can this ever be clicked on?
>
> The URL has a dot in the path. We have a local rule watching for
> this. Example (this is a dead link at this time):
> <a href="http://www.crop.co.uk/.hidden/nikpfpdk/aaaaganf.html">
>
> Joseph Brennan
> Lead Email Systems Engineer
> Columbia University Information Technology
I wonder if that is in fact a broken spam warning message of some sort.
I've been getting things for weeks with one nonsense "word" for a subject,
but they have all been plain-text fake watch spams.
Loren
Re: "Virus found in this message", probe?
Posted by Joseph Brennan <br...@columbia.edu>.
--On Wednesday, December 12, 2007 1:20 PM -0800 Kenneth Porter
<sh...@sewingwitch.com> wrote:
> Anyone seen these? text/plain and HTML parts, seem to have same content,
> saying there's a virus, please delete, and some gibberish. I'm guessing
> it's some kind of probe.
Started today (based on reports to us)
Varying senders. Comes from a botnet. Varying Subject but always one
lower-case word or wordlike string (ogbomosho). Subject does repeat
in different messages, but looks like too many to bother matching.
Note the misspelling in the string:
/Virus found in this message, please delete it without futher reading/
The link *follows* </p></body></html>, and additionally there is nothing
between the <a ...> and </a> tags. How can this ever be clicked on?
The URL has a dot in the path. We have a local rule watching for
this. Example (this is a dead link at this time):
<a href="http://www.crop.co.uk/.hidden/nikpfpdk/aaaaganf.html">
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: "Virus found in this message", probe?
Posted by Steven Stern <su...@sterndata.com>.
Kenneth Porter wrote:
> Anyone seen these? text/plain and HTML parts, seem to have same
> content, saying there's a virus, please delete, and some gibberish.
> I'm guessing it's some kind of probe.
There was a web address hidden by a malformed CSS tag.