[Dshield] Microsoft Patch

John Sage jsage at finchhaven.com
Fri Sep 19 14:44:47 GMT 2003


On Thu, Sep 18, 2003 at 01:50:26PM -0400, Guy Barnum wrote:
> Did anyone else recieve an email from microsoft with an attached exe
> containing the latest security patch?

There is not, nor has there ever been, nor will there ever be any
"latest security patch" emailed out from Micro$oft.

> With the ease that email headers can be faked I'm surprised M$ would
> send out an attachment like this via email.  Imagine how easy it
> would be to send out a fake email with malware attached!

Oh, yes, imagine!

> Has anyone tried to fake emails from M$ in the past?

uh.. Where have you been?


Anyway, I seem to be seeing three variants by source, but all have
pretty much the same <iframe src= > mechanism...

The first:

Received: from hmproxy2.horacemann.com (hmext1.horacemann.com
  [209.144.37.170])
   by mx1.eskimo.com (8.9.3/8.8.8) with SMTP id OAA05998
   for <jsage at finchhaven.com>; Thu, 18 Sep 2003 14:06:20 -0700
Date: Thu, 18 Sep 2003 14:06:20 -0700
Message-Id: <200309182106.OAA05998 at mx1.eskimo.com>
Received: from 10.70.1.98 by hmproxy2.horacemann.com (InterScan E-Mail
  VirusWall+NT); Thu, 18 Sep 2003 16:04:18 -0500
Received: from dgdrewi
  ([10.7.10.22])
   by bop1.horacemann.com; Thu, 18 Sep 2003 16:01:46 -0500
FROM: "Program Security Center" <roeffxreyroql at support.net>
TO: "Partner" <partner_wcdfqqhf at support.net>
SUBJECT: Current Network Patch

/* snip */

Received: from hmproxy2.horacemann.com (hmext1.horacemann.com
   [209.144.37.170])
    by mx1.eskimo.com (8.9.3/8.8.8) with SMTP id OAA07360
    for <jsage at finchhaven.com>; Thu, 18 Sep 2003 14:07:44 -0700
Date: Thu, 18 Sep 2003 14:07:44 -0700
Message-Id: <200309182107.OAA07360 at mx1.eskimo.com>
Received: from 10.70.1.98 by hmproxy2.horacemann.com (InterScan E-Mail
  VirusWall+NT); Thu, 18 Sep 2003 16:04:59 -0500
Received: from ojapy
        ([10.7.10.22])
        by bop1.horacemann.com; Thu, 18 Sep 2003 16:02:12 -0500
FROM: "Admin" <mailerengine at freemail.com>
TO: "inet client" <receiver at mxdomain.com>
SUBJECT: Mail: User unknown

with this as the operating mechanism:

<iframe src="cid:qhgpcybslfkaxr" height=0 width=0></iframe>
<BR><BR>Hi.
<BR>Message from freemail.com
<BR><BR><BR><BR>Undeliverable message to <B>wnmfajk at freemail.com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>



The second:

Received: from asvjk (dpc6682214019.direcpc.com [66.82.214.19])
  by a34-mta02.direcway.com
  (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
  with SMTP id <0HLG005ZJI5ND1 at a34-mta02.direcway.com> for
  jsage at finchhaven.com;
  Fri, 19 Sep 2003 06:22:49 -0400 (EDT)
Date: Fri, 19 Sep 2003 06:22:44 -0400 (EDT)
Date-warning: Date header was inserted by a34-mta02.direcway.com
From: Microsoft Corporation Security Services
  <prluqsibhccsmf at technet.com>
Subject: Newest Microsoft Critical Update
To: MS Consumer <consumer_nlrwuklzkm at technet.com>

/* snip */

Received: from sexmofd (dpc6682214019.direcpc.com [66.82.214.19])
  by a34-mta02.direcway.com
  (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
  with SMTP id <0HLG0058TI9JL7 at a34-mta02.direcway.com> for
  jsage at finchhaven.com;
  Fri, 19 Sep 2003 06:25:03 -0400 (EDT)
Date: Fri, 19 Sep 2003 06:25:02 -0400 (EDT)
Date-warning: Date header was inserted by a34-mta02.direcway.com
From: Administrator <smtpprogram at microsoft.com>
Subject: Report
To: Internet Recipient <user at maildomain.com>

with this as the operating mechanism:

<iframe src="cid:vvklww" height=0 width=0></iframe>
<BR><BR>Hi.
<BR>Message from microsoft.com
<BR><BR>I'm sorry to have to inform you that the message returned
below could not be delivered to the following addresses:<BR>
<BR><BR><BR>Undelivered to <B>zvwhjnlz at microsoft.com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>



The third:

Received: from cvszg ([65.94.194.172]) by tomts6-srv.bellnexxia.net
  (InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with SMTP
   id <20030919130532.EUOC23434.tomts6-srv.bellnexxia.net at cvszg>;
   Fri, 19 Sep 2003 09:05:32 -0400
FROM: "Microsoft Corporation Security Department"
   <pthyprgpdpl at updates.com>
TO: "User" <user at updates.com>
SUBJECT: Internet Pack

/* snip */

Received: from pbwf ([65.94.194.172]) by tomts6-srv.bellnexxia.net
  (InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with SMTP
   id <20030919131051.FAGY23434.tomts6-srv.bellnexxia.net at pbwf>;
   Fri, 19 Sep 2003 09:10:51 -0400
FROM: "MS Net Storage System" <webbot at netmail.com>
TO: "Internet Client" <receiver at mailserver.com>
SUBJECT: Announcement

with this as the operating mechanism:

<iframe src="cid:tqqohytrwtfb" height=0 width=0></iframe>
<BR>I'm sorry I wasn't able to deliver your message to one or more
destinations
.<BR>
<BR><BR><BR>Undelivered message to <B>wrfwdkis at netmail.com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>




- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the list mailing list