ECN Electrical Forum - Discussion Forums for Electricians, Inspectors and Related Professionals
ECN Shout Chat
ShoutChat Box
Recent Posts
Questioning the electrical norms
by HotLine1 - 03/04/21 12:35 PM
Lock-down Thread
by gfretwell - 03/03/21 12:38 PM
Northern Tool Recalls Powerhorse Generators
by Admin - 02/25/21 09:49 PM
You will never guess
by gfretwell - 02/25/21 07:48 PM
New in the Gallery:
Facebook follies, bad wiring
FPE in Germany pt.2
Who's Online Now
0 registered members (), 22 guests, and 19 spiders.
Key: Admin, Global Mod, Mod
Previous Thread
Next Thread
Print Thread
Rate Thread
PDF files infected, be aware! #170186 10/29/07 09:10 AM
Joined: May 2004
Posts: 364
G
Gloria Offline OP
Member
A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.

Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.

The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report



Link:
http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml


The world is full of beauty if the heart is full of love
Tools for Electricians:
Re: PDF files infected, be aware! [Re: Gloria] #170189 10/29/07 09:43 AM
Joined: Jul 2002
Posts: 8,379
Trumpy Offline
Member
Thanks Gloria,
That's handy to know. whistle

Re: PDF files infected, be aware! [Re: Trumpy] #170200 10/29/07 11:25 AM
Joined: Jul 2004
Posts: 9,571
G
gfretwell Online Content
Member
Another advantage in running old software I guess. That would just pop up an Adobe error on a W/98 IE6 machine. I get those a lot when I try to open new PDFs. It says you might not get all the stuff they sent but I can still see the document most of the time.


Greg Fretwell
Re: PDF files infected, be aware! [Re: gfretwell] #170331 10/31/07 07:25 PM
Joined: Mar 2005
Posts: 1,803
Alan Belson Offline
Member
I got one entitled "Income Tax deferred" or some such twaddle.
I 100% bin all e-mails without opening them unless I know the sender.
Don't be tempted- always bin without opening.
Empty your bin regularly.

I had 4 years of a spam-free diet till I let a mate on vacation use my machine to "check his e-mails".
We now get half a dozen a day offering Viagra or Enlargement of certain portions of the anatomy, all of which go in the rubbish unopened. The problem is they use a different name each time so you cant bin them on automatic. On the other hand, Lydia Trashcan or Carlos Fanackerpan kinda gives the game away. They are too stupid to use a common name like John Smith, who most of us probably know one of!



Wood work but can't!
Re: PDF files infected, be aware! [Re: Alan Belson] #170333 10/31/07 08:45 PM
Joined: Nov 2005
Posts: 823
J
JoeTestingEngr Offline
Member
That's funny! I get all these emails telling me I can make millions on a stock or enlarge that certain area. This went contrary to all my early learning that I didn't need an enlarged area (or a Corvette) if I had a million $$$.
Joe

Re: PDF files infected, be aware! [Re: JoeTestingEngr] #170347 11/01/07 11:14 AM
Joined: Jul 2004
Posts: 9,571
G
gfretwell Online Content
Member
Delete any cookies you are sure you don't need. I prompt for cookies as a default and won't take any I don't absolutely need. That dropped my spam a whole lot. The second thing is, don't google while you are logged in.
If you are logged into Yahoo, AOL, MSN or any similar service and you do a search, that search is sent to spammers with your login address. The reason Google is at $700 in the market is because they understand they are sitting on a valuable commodity, a list of customers and everything they have expressed an interest in.


Greg Fretwell
Re: PDF files infected, be aware! [Re: gfretwell] #170372 11/01/07 07:13 PM
Joined: May 2005
Posts: 247
T
techie Offline
Member
Or do as I do.. I run a non-MS OS (FreeBSD unix), and use a non-GUI MUA (Elm). I can receive attachments, but nothing happens until I save them, and open them with my choice of
application (under FreeBSD).

A lot of spam is very obvious. it's pure HTML, and appears as gibberish in Elm. >99% of the pure HTML email I receive is spam.

I do get a lot of spam, but then again my email addresses have been public knowledge for many years (one has been in use for 16 years..) I run my own mailservers, and I reject
a lot of mail at the SMTP level, based on the IP address of the sender.

If the source is a known dynamic dialup/cable/dsl address, or is assigned to an entity in china, korea, africa, EV1.net/EV1servers.net, wanadoo/france telecom, BT, interbusiness.it, etc, or appears on any of a dozen DNSBLs it is rejected immediately, before my server agrees to accept it.

I have a local reject list of over 26,000 ip networks generated based on received spam over the last 5-6 years.
Some countries/isp's are listed based on a zero-tolerance policy, based on 100% spam/0% content/0% abuse response.
If I find ip space assigned to them, it gets listed in my reject list.

If the sender has no reverse DNS, reverse DNS that points to a nonexistent domain, or reverse DNS that does not match the forward DNS for the given hostname, then it is rejected.
If the host fails to wait for the SMTP HELO, it is rejected for violating RFC822.

future additions include the rfc-ignorant list, which lists isp's that do not have functional abuse or postmaster addresses.

anything that leaks through gets forwarded to Spamcop as a complaint. I currently don't use spamassassin to filter spam.

I prefer to reject at the initial SMTP transaction, which means that the sender should receive a bounce from their server, as opposed to a delayed bounce sent from my server to a probably forged address.

Any challenge-response emails that I receive are considered spam, as that system is in many ways as bad or worse than the spam itself, and can be used as an attack vector.
(send a spam using my (forged) address to a site using challenge-response, and I get the challenge, even though the source address was forged.)

Last edited by techie; 11/01/07 07:14 PM.
Re: PDF files infected, be aware! [Re: techie] #170387 11/01/07 11:40 PM
Joined: Jul 2004
Posts: 9,571
G
gfretwell Online Content
Member
I use my real address everywhere including newsgroups and I really don't get that much spam. Nothing like I used to get when I was browsing from within AOL.
I also have a web site and it is interesting how they scoop up addresses there. This is the HOA web site, I just manage it. They set up a lot of boiler plate addresses when they got the original site (president@xxx, Treasurer@xxx). Nobody had actually figured out how to use them until I got the job. Some of the mailboxes were empty, some were stuffed. Anything on a "contact" or an "index" page gets spam. I also noticed a bulletin board on the index page and one page down collects spam but if it is 3 levels deep it doesn't.


Greg Fretwell
Re: PDF files infected, be aware! [Re: gfretwell] #170702 11/09/07 04:13 AM
Joined: May 2004
Posts: 364
G
Gloria Offline OP
Member
Alan! LOL laugh true.
techie: I suppose you can be angry at some friends who don't write to you anymore, maybe you should check your spams some times. I have found a friend's e-mail in my spam few months after she sent it, I was a bit upset.

Anyhow, the last few weeks the number of daily spams decreased by about 70%, it can be the success of Gmail, or the arrest of a few of those guys.
One more thing, I use dynamic IP, so I guess banning IP is not really a solution.


The world is full of beauty if the heart is full of love
Re: PDF files infected, be aware! [Re: Gloria] #170758 11/11/07 03:21 AM
Joined: May 2005
Posts: 247
T
techie Offline
Member
Maybe I wasn't clear.

Mail is either accepted or rejected.

Any mail rejected is never received by my server. The remote server receives a rejection, and the transaction is immediately terminated. The sender receives an immediate bounce, and knows that they need to use another communication channel.

If the mail is accepted by my server, it ends up either in my mailbox, or if it is sent via one of the mailing lists that I subscribe to, it gets sorted directly into a folder associated with that list for later reading.

I don't have any filters that mark mail as spam after it is received. Once the mail is received, I am the filter, and as such there is no mis-tagged email, or email mistakenly filed in the spam folder.

My system only checks the IP of the host that is connecting to my server. It does not check to see if the email originated from a dynamic IP address, and was relayed through an ISP's mail server, only if the address that is connecting to my server is a dynamic IP.

[Internet Postmaster hat on]

Given the exponential growth of trojaned PC's, and drive-by spamming, there is absolutely no reason why a mail server should accept any email from dynamic IP space, unless that IP space belongs to the ISP running the server. (ie: Cox's servers should accept mail from Cox's IP space.)

Best practices dictate that ISP's should pro-actively filter outgoing SMTP traffic originating from within their dynamic IP space, and require that all outgoing SMTP traffic be passed to their mail servers, where virus filters can be applied before the mail is allowed out into the wild.

Legitimate mail servers should be on static IP's. There is no valid reason why a mail server should be on a dynamic IP.


Featured:

2020 National Electrical Code
2020 National Electrical
Code (NEC)

* * * * * * *

2020 Master Electrician Exam Preparation Combos
2020 NEC Electrician
Exam Prep Combos:
Master / Journeyman

 

Member Spotlight
sparky66wv
sparky66wv
West Virginia
Posts: 2,236
Joined: November 2000
Show All Member Profiles 
Top Posters(30 Days)
Popular Topics(Views)
275,689 Are you busy
209,610 Re: Forum
196,959 Need opinion
Powered by UBB.threads™ PHP Forum Software 7.7.3