ECN Electrical Forum - Discussion Forums for Electricians, Inspectors and Related Professionals
ECN Shout Chat
Top Posters(30 Days)
Recent Posts
Question on power to 4 Nema 6-50 & 5 Nema 5-15.
by TrickedoutTech. 10/22/17 11:36 PM
VFD MotorFeeders
by Yoopersup. 10/22/17 07:52 PM
Generator Cable Sizing
by brsele. 10/18/17 07:39 PM
What do you do?
by gfretwell. 10/17/17 01:08 AM
Good ol' copper pipe in the fuse holder trick
by HotLine1. 10/16/17 07:16 PM
New in the Gallery:
Gallery Test
Popular Topics(Views)
241,457 Are you busy
177,441 Re: Forum
169,024 Need opinion
Who's Online Now
0 registered members (), 12 guests, and 12 spiders.
Key: Admin, Global Mod, Mod
Previous Thread
Next Thread
Print Thread
Rate This Thread
#170186 - 10/29/07 10:10 AM PDF files infected, be aware!  
Gloria  Offline
Joined: May 2004
Posts: 364
Budapest, Hungary
A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.

Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.

The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report


The world is full of beauty if the heart is full of love

Tools for Electricians:

#170189 - 10/29/07 10:43 AM Re: PDF files infected, be aware! [Re: Gloria]  
Trumpy  Offline

Joined: Jul 2002
Posts: 8,223
SI,New Zealand
Thanks Gloria,
That's handy to know. whistle

#170200 - 10/29/07 12:25 PM Re: PDF files infected, be aware! [Re: Trumpy]  
gfretwell  Offline

Joined: Jul 2004
Posts: 9,124
Another advantage in running old software I guess. That would just pop up an Adobe error on a W/98 IE6 machine. I get those a lot when I try to open new PDFs. It says you might not get all the stuff they sent but I can still see the document most of the time.

Greg Fretwell

#170331 - 10/31/07 08:25 PM Re: PDF files infected, be aware! [Re: gfretwell]  
Alan Belson  Offline
Joined: Mar 2005
Posts: 1,803
Mayenne N. France
I got one entitled "Income Tax deferred" or some such twaddle.
I 100% bin all e-mails without opening them unless I know the sender.
Don't be tempted- always bin without opening.
Empty your bin regularly.

I had 4 years of a spam-free diet till I let a mate on vacation use my machine to "check his e-mails".
We now get half a dozen a day offering Viagra or Enlargement of certain portions of the anatomy, all of which go in the rubbish unopened. The problem is they use a different name each time so you cant bin them on automatic. On the other hand, Lydia Trashcan or Carlos Fanackerpan kinda gives the game away. They are too stupid to use a common name like John Smith, who most of us probably know one of!

Wood work but can't!

#170333 - 10/31/07 09:45 PM Re: PDF files infected, be aware! [Re: Alan Belson]  
JoeTestingEngr  Offline
Joined: Nov 2005
Posts: 790
Chicago, Il.
That's funny! I get all these emails telling me I can make millions on a stock or enlarge that certain area. This went contrary to all my early learning that I didn't need an enlarged area (or a Corvette) if I had a million $$$.

#170347 - 11/01/07 12:14 PM Re: PDF files infected, be aware! [Re: JoeTestingEngr]  
gfretwell  Offline

Joined: Jul 2004
Posts: 9,124
Delete any cookies you are sure you don't need. I prompt for cookies as a default and won't take any I don't absolutely need. That dropped my spam a whole lot. The second thing is, don't google while you are logged in.
If you are logged into Yahoo, AOL, MSN or any similar service and you do a search, that search is sent to spammers with your login address. The reason Google is at $700 in the market is because they understand they are sitting on a valuable commodity, a list of customers and everything they have expressed an interest in.

Greg Fretwell

#170372 - 11/01/07 08:13 PM Re: PDF files infected, be aware! [Re: gfretwell]  
techie  Offline
Joined: May 2005
Posts: 246
palo alto, ca usa
Or do as I do.. I run a non-MS OS (FreeBSD unix), and use a non-GUI MUA (Elm). I can receive attachments, but nothing happens until I save them, and open them with my choice of
application (under FreeBSD).

A lot of spam is very obvious. it's pure HTML, and appears as gibberish in Elm. >99% of the pure HTML email I receive is spam.

I do get a lot of spam, but then again my email addresses have been public knowledge for many years (one has been in use for 16 years..) I run my own mailservers, and I reject
a lot of mail at the SMTP level, based on the IP address of the sender.

If the source is a known dynamic dialup/cable/dsl address, or is assigned to an entity in china, korea, africa,, wanadoo/france telecom, BT,, etc, or appears on any of a dozen DNSBLs it is rejected immediately, before my server agrees to accept it.

I have a local reject list of over 26,000 ip networks generated based on received spam over the last 5-6 years.
Some countries/isp's are listed based on a zero-tolerance policy, based on 100% spam/0% content/0% abuse response.
If I find ip space assigned to them, it gets listed in my reject list.

If the sender has no reverse DNS, reverse DNS that points to a nonexistent domain, or reverse DNS that does not match the forward DNS for the given hostname, then it is rejected.
If the host fails to wait for the SMTP HELO, it is rejected for violating RFC822.

future additions include the rfc-ignorant list, which lists isp's that do not have functional abuse or postmaster addresses.

anything that leaks through gets forwarded to Spamcop as a complaint. I currently don't use spamassassin to filter spam.

I prefer to reject at the initial SMTP transaction, which means that the sender should receive a bounce from their server, as opposed to a delayed bounce sent from my server to a probably forged address.

Any challenge-response emails that I receive are considered spam, as that system is in many ways as bad or worse than the spam itself, and can be used as an attack vector.
(send a spam using my (forged) address to a site using challenge-response, and I get the challenge, even though the source address was forged.)

Last edited by techie; 11/01/07 08:14 PM.

#170387 - 11/02/07 12:40 AM Re: PDF files infected, be aware! [Re: techie]  
gfretwell  Offline

Joined: Jul 2004
Posts: 9,124
I use my real address everywhere including newsgroups and I really don't get that much spam. Nothing like I used to get when I was browsing from within AOL.
I also have a web site and it is interesting how they scoop up addresses there. This is the HOA web site, I just manage it. They set up a lot of boiler plate addresses when they got the original site (president@xxx, Treasurer@xxx). Nobody had actually figured out how to use them until I got the job. Some of the mailboxes were empty, some were stuffed. Anything on a "contact" or an "index" page gets spam. I also noticed a bulletin board on the index page and one page down collects spam but if it is 3 levels deep it doesn't.

Greg Fretwell

#170702 - 11/09/07 05:13 AM Re: PDF files infected, be aware! [Re: gfretwell]  
Gloria  Offline
Joined: May 2004
Posts: 364
Budapest, Hungary
Alan! LOL laugh true.
techie: I suppose you can be angry at some friends who don't write to you anymore, maybe you should check your spams some times. I have found a friend's e-mail in my spam few months after she sent it, I was a bit upset.

Anyhow, the last few weeks the number of daily spams decreased by about 70%, it can be the success of Gmail, or the arrest of a few of those guys.
One more thing, I use dynamic IP, so I guess banning IP is not really a solution.

The world is full of beauty if the heart is full of love

#170758 - 11/11/07 04:21 AM Re: PDF files infected, be aware! [Re: Gloria]  
techie  Offline
Joined: May 2005
Posts: 246
palo alto, ca usa
Maybe I wasn't clear.

Mail is either accepted or rejected.

Any mail rejected is never received by my server. The remote server receives a rejection, and the transaction is immediately terminated. The sender receives an immediate bounce, and knows that they need to use another communication channel.

If the mail is accepted by my server, it ends up either in my mailbox, or if it is sent via one of the mailing lists that I subscribe to, it gets sorted directly into a folder associated with that list for later reading.

I don't have any filters that mark mail as spam after it is received. Once the mail is received, I am the filter, and as such there is no mis-tagged email, or email mistakenly filed in the spam folder.

My system only checks the IP of the host that is connecting to my server. It does not check to see if the email originated from a dynamic IP address, and was relayed through an ISP's mail server, only if the address that is connecting to my server is a dynamic IP.

[Internet Postmaster hat on]

Given the exponential growth of trojaned PC's, and drive-by spamming, there is absolutely no reason why a mail server should accept any email from dynamic IP space, unless that IP space belongs to the ISP running the server. (ie: Cox's servers should accept mail from Cox's IP space.)

Best practices dictate that ISP's should pro-actively filter outgoing SMTP traffic originating from within their dynamic IP space, and require that all outgoing SMTP traffic be passed to their mail servers, where virus filters can be applied before the mail is allowed out into the wild.

Legitimate mail servers should be on static IP's. There is no valid reason why a mail server should be on a dynamic IP.

Member Spotlight
West Virginia
Posts: 2,236
Joined: November 2000
Show All Member Profiles 

2017 Master Electrician Exam Preparation Combos
2017 NEC Electrician
Exam Prep Combos:
Master / Journeyman


Shout Box
Powered by UBB.threads™ PHP Forum Software 7.6.0
Page Time: 0.024s Queries: 15 (0.004s) Memory: 0.8169 MB (Peak: 0.9956 MB) Zlib enabled. Server Time: 2017-10-23 09:53:09 UTC