Have you received spam from LEMIS? That's as good as impossible, but it's possible that you have received mail which looks like that. One of the nastier tricks spammers use is to forge mail from people who have caused them trouble. Unless you look carefully, it looks as if we're doing the spamming.
I have never seen one of these spams first hand. What I do see are the results when the spam can't be delivered. For example, this message:
From: postmaster <postmaster@FreeBSD.org>
To: grog@FreeBSD.org
Subject: Undeliverable mail--"here for 1 month of FREE"
--Sd737D3WdNJL3nqrz0hs6i
Content-Type: application/octet-stream;
name=PortableComputer_bottom;sz=468x60;ord=49268084[1].htm
Content-Transfer-Encoding: base64
Content-ID: <PWy7hE16C28o>
PEhUTUw+DQo8Qk9EWT48YSB0YXJnZXQ9Il9uZXciIGhyZWY9Imh0dHA6Ly9hZC5kb3VibGVj
(etc)
There's more information than this, of course. With full headers this particular message looks like this:
From austria@verizon.net Thu Jul 18 16:41:51 2002
Return-Path: <austria@verizon.net>
Delivered-To: grog@lemis.com
Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119])
by wantadilla.lemis.com (Postfix) with ESMTP id 01E0C81448
for <grog@lemis.com>; Thu, 18 Jul 2002 16:38:09 +0930 (CST)
Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18])
by mx2.freebsd.org (Postfix) with ESMTP id 6A70F55953
for <grog@lemis.com>; Thu, 18 Jul 2002 00:06:01 -0700 (PDT)
(envelope-from austria@verizon.net)
Received: by hub.freebsd.org (Postfix)
id 51E6937B401; Thu, 18 Jul 2002 00:06:01 -0700 (PDT)
Delivered-To: grog@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 2C08037B400
for <grog@FreeBSD.org>; Thu, 18 Jul 2002 00:06:01 -0700 (PDT)
Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142])
by mx1.FreeBSD.org (Postfix) with ESMTP id 8D43843E64
for <grog@FreeBSD.org>; Thu, 18 Jul 2002 00:06:00 -0700 (PDT)
(envelope-from austria@verizon.net)
Received: from Uaui ([4.63.27.132]) by out004.verizon.net
(InterMail vM.5.01.05.05 201-253-122-126-105-20020426) with SMTP
id <20020718070552.QMJV27708.out004.verizon.net@Uaui>
for <grog@FreeBSD.org>; Thu, 18 Jul 2002 02:05:52 -0500
From: postmaster <postmaster@FreeBSD.org>
To: grog@FreeBSD.org
Subject: Undeliverable mail--"here for 1 month of FREE"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Sd737D3WdNJL3nqrz0hs6i
Message-Id: <20020718070552.QMJV27708.out004.verizon.net@Uaui>
Date: Thu, 18 Jul 2002 02:06:01 -0500
X-Spam-Status: No, hits=-99.1 required=5.0 tests=LARGE_HEX,LINE_OF_YELLING,A_FROM_IN_AUTO_WLIST version=2.01
--Sd737D3WdNJL3nqrz0hs6i
Content-Type: application/octet-stream;
name=PortableComputer_bottom;sz=468x60;ord=49268084[1].htm
Content-Transfer-Encoding: base64
Content-ID: <PWy7hE16C28o>
PEhUTUw+DQo8Qk9EWT48YSB0YXJnZXQ9Il9uZXciIGhyZWY9Imh0dHA6Ly9hZC5kb3VibGVj
bGljay5uZXQvY2xpY2s7MTUwNzE2ODswLTA7MDs0NDE1NjA3OzEtNDY4fDYwOzB8MHwwOzs/
aHR0cDovL2NsaWNrLmF2ZW51ZWEuY29tL2dvL3dpc2VhZHNfbXNuaWFfYmExMjM3XzA3MTIw
MG1iXzQ2OHg2MF8xL2RpcmVjdC8wMTIzODMzODQiPjxpbWcgc3JjPSJodHRwOi8vdmlldy5h
dmVudWVhLmNvbS92aWV3L3dpc2VhZHNfbXNuaWFfYmExMjM3XzA3MTIwMG1iXzQ2OHg2MF8x
L2RpcmVjdC8wMTIzODMzODQiIGJvcmRlcj0wIHdpZHRoPTQ2OCBoZWlnaHQ9NjAgYWx0PSJD
bGljayBoZXJlIGZvciAxIG1vbnRoIG9mIEZSRUUqIE1TTiBJbnRlcm5ldCBBY2Nlc3MhIj48
L2E+PC9CT0RZPg0KPC9IVE1MPj==
As the headers indicate, this message is in multipart/alternative form, one favoured by Microsoft. The structure of the message is:
-- Mutt: Attachments 1 <no description> [multipa/alternativ, 7bit, 127K] 2 <no description> [text/html, quoted, us-ascii, 0.3K] 3 border.bat [applica/octet-stre, base64, 126K] 4 <no description> [text/plain, 7bit, us-ascii, 0.7K]Attachment 1 in fact contains the other three attachments. Attachment 2 looks like this:
<HTML><HEAD></HEAD><BODY> <FONT>The following mail can't be sent to austria@msdirectservices.com:<br> <br> From: grog@FreeBSD.org<br> To: austria@msdirectservices.com<br> Subject: here for 1 month of FREE<br> The file is the original mail</FONT></BODY></HTML>
Attachment 3 is much bigger than all the rest put together. It starts like this:
MZ\220^@^C^@^@^@^D^@^@^@ÿÿ^@^@¸^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Ø^@+^@^@^N^_º^N^@´ Í!¸^ALÍ!This prog ram cannot be run in DOS mode.^M^M$^@^@^@^@^@^@^@^X\231}à\ø^S³\ø^S³\ø^S³'ä^_ ³Xø^S³ßä^]³Oø^S³´ç^Y³fø^S³>ç^@³Uø^S³\ø^R³%ø^S³´ç^X³Nø^S³äþ^U³]ø^S³Rich\ø^S³^@
Note particularly the MZ at the beginning, and also the text This program cannot be run in DOS mode.. The MZ is what we call a magic number in UNIX: it identifies the file as a Microsoft executable. Despite the name border.bat, this is some malicious executable designed to exploit Microsoft security holes.
Finally, there's the message we saw in the first place. I don't know what it's for.
The thing that is missing in this message is an indication of where it came from. The headers shown above are the headers from the system reporting the intrusion, not the one causing it. I'd be very interested to find out who sends these messages. If you get any message like this, ostensibly from lemis.com, please send it with the complete headers to abuse@lemis.com. If you're using a UNIX-based MUA (mail program), there should be a bounce command which will do this for you. If you're using Microsoft, I don't know how to do it; possibly your MTA (mail transfer agent) has already stripped the information. I'd be grateful for whatever you can find, though.
|
|