[Dshield] Virus /spammer question: possibility of remote email address lookup??

John Sage jsage at finchhaven.com
Wed Mar 3 15:06:27 GMT 2004


umm..

The first thought that comes to my mind is that I'm sure all these
people will be eternally grateful to you for the fact that you've just
posted all their email addresses to a maillist that is publicly
archived, and itself is actively trolled by spammers.

Good job!


On Tue, Mar 02, 2004 at 04:01:03PM -0600, Gary Warner wrote:
> Date: Tue, 02 Mar 2004 16:01:03 -0600
> From: Gary Warner <gar at askgar.com>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
> 	rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
> To: packet ninjas <packet-ninjas at birmingham-infragard.org>, list at dshield.org
> Cc: 
> Subject: [Dshield] Virus /spammer question: possibility of remote email
> 	address lookup??
> 
> I'm getting bounced traffic to my "catchall" address for my domain, and 
> I'm trying to figure out if this is viral, or if there is a spammer 
> using my domain for a sending address.
> 
> If its a virus, I am  AMAZED that it is able to send to so many 
> sequential addresses.
> It is enough to make me seriously wonder if somehow the virus is doing 
> lookups against some spammer database out on the Internet.
> 
> Of course, I'm SPECULATING that this is a form of a virus. . . the 
> bounces have not included the attachment, and the subject lines are not 
> matching my list of known subjects:
> 
> Look, for example, at this list of emails sent from 
> "kayceficsuer at aksgar.com" by a machine at IP address 81.202.41.233 sent 
> a copy of the virus to them.
> 
> Message subject was:  Stocks that will doubl3 in @- w3ek
> 

/* snip */

> 
> On another computer (81.60.164.9) mail was sent "from 
> Josettejeabluhy at askgar.com" (this computer is in Spain) to this list:
> 
> Message subject was:   -98% of our Stocks Make+ Mon3y

/* snip */

> The text of this email indicated the reader should see the attached 
> financial report...
> 
> 
> The last one that I received so far was sent from 
> "Leonagjgnakuvf at askgar.com" and went to:

/* snip */

> With the subject: 
> Stocks with littl-3 risk_ in 04
> 
> What kind of person would have TWENTY email addresses in the "userid= pol - 
> pow" range on yahoo.com sitting on their hard drive?
> or THIRTY-FIVE email addresses in the range "userid = eda - edd" on 
> aol.com, or TWENTY email in the range "angelh - angelm" on aol.com?
> 
> Would the virus REALLY search ALL the email addresses on their machine, and 
> then alphabetize them by email address and send in blocks of 20 or 35 in 
> alphabetical order?
> 
> I can reach no rational conclusion other than to suggest that there is an 
> "online lookup" function built into the virus.
> 
> Has any researcher found such code?
> 
> The first was sent from 81.202.41.233, at 02MAR04 12:46:52 -0800
> The next was sent from 217.99.65.71, at 02MAR04 14:46:51 -0500
> The last was sent from 81.60.164.9, at 02MAR04 14:53:02 -0500
> 
> Could this be an indication of a remote-control spam program in use?  I'm 
> very confused by this one!
> 
> _-_
> gary warner
> birmingham, alabama
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list