A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.
Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.
The subjects for the spam messages include: Your credit report Your credit points Your balance report Personal Financial Statement Personal Credit Points Personal Balance Report Your Credit File Balance Report
Another advantage in running old software I guess. That would just pop up an Adobe error on a W/98 IE6 machine. I get those a lot when I try to open new PDFs. It says you might not get all the stuff they sent but I can still see the document most of the time.
I got one entitled "Income Tax deferred" or some such twaddle. I 100% bin all e-mails without opening them unless I know the sender. Don't be tempted- always bin without opening. Empty your bin regularly.
I had 4 years of a spam-free diet till I let a mate on vacation use my machine to "check his e-mails". We now get half a dozen a day offering Viagra or Enlargement of certain portions of the anatomy, all of which go in the rubbish unopened. The problem is they use a different name each time so you cant bin them on automatic. On the other hand, Lydia Trashcan or Carlos Fanackerpan kinda gives the game away. They are too stupid to use a common name like John Smith, who most of us probably know one of!
That's funny! I get all these emails telling me I can make millions on a stock or enlarge that certain area. This went contrary to all my early learning that I didn't need an enlarged area (or a Corvette) if I had a million $$$. Joe
Delete any cookies you are sure you don't need. I prompt for cookies as a default and won't take any I don't absolutely need. That dropped my spam a whole lot. The second thing is, don't google while you are logged in. If you are logged into Yahoo, AOL, MSN or any similar service and you do a search, that search is sent to spammers with your login address. The reason Google is at $700 in the market is because they understand they are sitting on a valuable commodity, a list of customers and everything they have expressed an interest in.
Or do as I do.. I run a non-MS OS (FreeBSD unix), and use a non-GUI MUA (Elm). I can receive attachments, but nothing happens until I save them, and open them with my choice of application (under FreeBSD).
A lot of spam is very obvious. it's pure HTML, and appears as gibberish in Elm. >99% of the pure HTML email I receive is spam.
I do get a lot of spam, but then again my email addresses have been public knowledge for many years (one has been in use for 16 years..) I run my own mailservers, and I reject a lot of mail at the SMTP level, based on the IP address of the sender.
If the source is a known dynamic dialup/cable/dsl address, or is assigned to an entity in china, korea, africa, EV1.net/EV1servers.net, wanadoo/france telecom, BT, interbusiness.it, etc, or appears on any of a dozen DNSBLs it is rejected immediately, before my server agrees to accept it.
I have a local reject list of over 26,000 ip networks generated based on received spam over the last 5-6 years. Some countries/isp's are listed based on a zero-tolerance policy, based on 100% spam/0% content/0% abuse response. If I find ip space assigned to them, it gets listed in my reject list.
If the sender has no reverse DNS, reverse DNS that points to a nonexistent domain, or reverse DNS that does not match the forward DNS for the given hostname, then it is rejected. If the host fails to wait for the SMTP HELO, it is rejected for violating RFC822.
future additions include the rfc-ignorant list, which lists isp's that do not have functional abuse or postmaster addresses.
anything that leaks through gets forwarded to Spamcop as a complaint. I currently don't use spamassassin to filter spam.
I prefer to reject at the initial SMTP transaction, which means that the sender should receive a bounce from their server, as opposed to a delayed bounce sent from my server to a probably forged address.
Any challenge-response emails that I receive are considered spam, as that system is in many ways as bad or worse than the spam itself, and can be used as an attack vector. (send a spam using my (forged) address to a site using challenge-response, and I get the challenge, even though the source address was forged.)
Last edited by techie; 11/01/0708:14 PM.
Re: PDF files infected, be aware!
#170387 11/02/0712:40 AM11/02/0712:40 AM
I use my real address everywhere including newsgroups and I really don't get that much spam. Nothing like I used to get when I was browsing from within AOL. I also have a web site and it is interesting how they scoop up addresses there. This is the HOA web site, I just manage it. They set up a lot of boiler plate addresses when they got the original site (president@xxx, Treasurer@xxx). Nobody had actually figured out how to use them until I got the job. Some of the mailboxes were empty, some were stuffed. Anything on a "contact" or an "index" page gets spam. I also noticed a bulletin board on the index page and one page down collects spam but if it is 3 levels deep it doesn't.
Alan! LOL true. techie: I suppose you can be angry at some friends who don't write to you anymore, maybe you should check your spams some times. I have found a friend's e-mail in my spam few months after she sent it, I was a bit upset.
Anyhow, the last few weeks the number of daily spams decreased by about 70%, it can be the success of Gmail, or the arrest of a few of those guys. One more thing, I use dynamic IP, so I guess banning IP is not really a solution.
The world is full of beauty if the heart is full of love
Re: PDF files infected, be aware!
#170758 11/11/0704:21 AM11/11/0704:21 AM
Any mail rejected is never received by my server. The remote server receives a rejection, and the transaction is immediately terminated. The sender receives an immediate bounce, and knows that they need to use another communication channel.
If the mail is accepted by my server, it ends up either in my mailbox, or if it is sent via one of the mailing lists that I subscribe to, it gets sorted directly into a folder associated with that list for later reading.
I don't have any filters that mark mail as spam after it is received. Once the mail is received, I am the filter, and as such there is no mis-tagged email, or email mistakenly filed in the spam folder.
My system only checks the IP of the host that is connecting to my server. It does not check to see if the email originated from a dynamic IP address, and was relayed through an ISP's mail server, only if the address that is connecting to my server is a dynamic IP.
[Internet Postmaster hat on]
Given the exponential growth of trojaned PC's, and drive-by spamming, there is absolutely no reason why a mail server should accept any email from dynamic IP space, unless that IP space belongs to the ISP running the server. (ie: Cox's servers should accept mail from Cox's IP space.)
Best practices dictate that ISP's should pro-actively filter outgoing SMTP traffic originating from within their dynamic IP space, and require that all outgoing SMTP traffic be passed to their mail servers, where virus filters can be applied before the mail is allowed out into the wild.
Legitimate mail servers should be on static IP's. There is no valid reason why a mail server should be on a dynamic IP.