New virus outbreak with malformed payload

["David F. Skoll" <df...@roaringpenguin.com>]

Hi,

We're seeing a huge rash of viruses with malformed payloads.  They're
supposed to contain a ZIP file, but the MIME part supposedly containing
the ZIP file simply contains:

Error[Base64]

Sample: http://pastebin.com/fkjf9LHR

Yesterday, they were "Scanned Copy" spams from an HP printer.  Today they
are "Invoice Notification for June 2013" spams.

Annoyingly, the envelope sender is no-reply@intuit.com which has an
SPF permerror... FAIL.

$ spfquery --id intuit.com --ip 192.168.1.1
permerror
intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
Received-SPF: permerror (intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded) identity=mailfrom; envelope-from=intuit.com

*sigh*

Anyone else seeing tons of these?

Regards,

David.

Re: New virus outbreak with malformed payload

["Kevin A. McGrail" <KM...@PCCC.com>]

We had none yesterday but some 700 today which is a decent amount.

However, the attachments were filtered as bad filenames and quarantined 
which adds a 2.5 score to our spam tests which also blocked all of them 
so very few made it to inboxes.

Regards,
KAM

On 6/21/2013 1:40 PM, David F. Skoll wrote:
> Hi,
>
> We're seeing a huge rash of viruses with malformed payloads.  They're
> supposed to contain a ZIP file, but the MIME part supposedly containing
> the ZIP file simply contains:
>
> Error[Base64]
>
> Sample: http://pastebin.com/fkjf9LHR
>
> Yesterday, they were "Scanned Copy" spams from an HP printer.  Today they
> are "Invoice Notification for June 2013" spams.
>
> Annoyingly, the envelope sender is no-reply@intuit.com which has an
> SPF permerror... FAIL.
>
> $ spfquery --id intuit.com --ip 192.168.1.1
> permerror
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> Received-SPF: permerror (intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded) identity=mailfrom; envelope-from=intuit.com
>
> *sigh*
>
> Anyone else seeing tons of these?
>
> Regards,
>
> David.


-- 
*Kevin A. McGrail*
President

Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
KMcGrail@PCCC.com <ma...@pccc.com>

Re: New virus outbreak with malformed payload

[Jay Plesset <ja...@dp-design.com>]

yes,  saw both the scanner ones and the new ones, too.

jay plesset
IT, dp-design.com
On 6/21/2013 10:40 AM, David F. Skoll wrote:
> Hi,
>
> We're seeing a huge rash of viruses with malformed payloads.  They're
> supposed to contain a ZIP file, but the MIME part supposedly containing
> the ZIP file simply contains:
>
> Error[Base64]
>
> Sample: http://pastebin.com/fkjf9LHR
>
> Yesterday, they were "Scanned Copy" spams from an HP printer.  Today they
> are "Invoice Notification for June 2013" spams.
>
> Annoyingly, the envelope sender is no-reply@intuit.com which has an
> SPF permerror... FAIL.
>
> $ spfquery --id intuit.com --ip 192.168.1.1
> permerror
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> Received-SPF: permerror (intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded) identity=mailfrom; envelope-from=intuit.com
>
> *sigh*
>
> Anyone else seeing tons of these?
>
> Regards,
>
> David.

Re: New virus outbreak with malformed payload

["David F. Skoll" <df...@roaringpenguin.com>]

On Fri, 21 Jun 2013 19:56:19 +0200
Benny Pedersen <me...@junc.eu> wrote:

> > Annoyingly, the envelope sender is no-reply@intuit.com which has an
> > SPF permerror... FAIL.

> and you accept permerror :)

Well, what would you suggest? :)  I don't think our customers would
accept unconditional blocking of intuit.com or microsoft.com (another
offender.)

> is the zipfile always 6 bytes where the 2 first chars is not pk ?,
> that is not even a zip file then

It's not even a valid attachment because the encoding is wrong.

The viruses are easy to detect and stop.  They are just annoying.  (And
some of them don't have malformed attachments; some really do have valid
zip files with an embedded .EXE.  Weird.)

Regards,

David.

Re: New virus outbreak with malformed payload

[Benny Pedersen <me...@junc.eu>]

David F. Skoll skrev den 2013-06-21 19:40:

> Annoyingly, the envelope sender is no-reply@intuit.com which has an
> SPF permerror... FAIL.

and you accept permerror :)

> *sigh*

is the zipfile always 6 bytes where the 2 first chars is not pk ?, that 
is not even a zip file then

-- 
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it