[Dshield] Looks strange to me

Fred fretz at pacbell.net
Tue Mar 23 00:08:24 GMT 2004

Hi Dshielders,

I'm somewhere in the intermediate home user category and I've only posted here once before with a question concerning Mac computer viruses.

...I just received an email that I knew was at least spam, and probably not more, but I was concerned about the looks of the message source.  When I get an email that I have questions about I ususally check it out by right clicking on the message in OE, and then Properties>Details>Message Source.  (I think that's safe to do but would appreciate being informed if I'm wrong.)
Normally I just confirm that the message is spam, close the windows and delete the message.  But the strange URLs in this message source caught my eye, and I thought people here may be interested.  I assuming that this isn't some strange new technique - it looks to me something like the exploit that obscures a fake URL by putting it at the end of a long series of inconsequential characters.
Also this is email got through Yahoo's bulk mail filter which has been working fairly well for me.  It's been stopping all but a few pieces of unwanted email every now and then.  I thought message may be trying to use way to avoid that type of spam filter.  If that's what it was, it worked - this time anyway.

(I changed my own email address in the first line and the multiple addressees to which this message was sent, including me to: *several recipients*_at_pacbell.net.  I also changed the email address associated with "Javier Collins" from the entirely different proper name that was used in the aol address, because I didn't want to implicate or expose an innocent person's email address.)
With that said, below is the Message Source text.  It's probably more than what's necessary, but I don't know what to include and what not to include.

X-Apparently-To: [myself]_at_pacbell.net via web80513.mail.yahoo.com; Mon, 22 Mar 2004 09:52:43 -0800
Return-Path: <NotJavierCollins_at_aol.com>
Received: from mtaw1.prodigy.net (
  by mta802.mail.yahoo.com with SMTP; Mon, 22 Mar 2004 09:52:43 -0800
X-Originating-IP: []
X-Header-Overseas: Mail.from.Overseas.source.
X-Header-NoReverseIP: IP.name.lookup.failed[]
Received: from FORNEXT-MAIN ([])
 by mtaw1.prodigy.net (8.12.10/8.12.10) with SMTP id i2MHpOhY016420;
 Mon, 22 Mar 2004 09:51:45 -0800 (PST)
Received: from by; Mon, 22 Mar 2004 10:46:24 -0700
From: "Javier Collins" <NotJavierCollins_at_aol.com>
Reply-To: "Javier Collins" <NotJavierCollins_at_aol.com>
To: *several recipients*_at_pacbell.net
Subject: =?ISO-8859-2?Q?Gotta=20Try=20This=20Out?=
Date: Mon, 22 Mar 2004 21:44:24 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3

Content-Type: text/html;
Content-Transfer-Encoding: 7Bit

<html><HEAD><TITLE>My Homepage</TITLE><META http-equiv=Content-Type content="text/html; charset=windows-1252"><META content="" name=Author><META content="" name=Keywords><META content="" name=Description><a href="http://www.purview_hawaiian_hendrick_mayfair_ferrite_egan_aphorism_cancelled_o_sandra_pacifism_ken_october_checksumming_test_detector_minos_thorough_other_synod_arrogate_allusion_p_squatting_oscar_sulky_arc_ego_john_occasion_ashland_agnew_within_"></a>
I<a href="fugitive_"></a>f your tir<a href="apollo_"></a>ed of pay<a href="buxton_"></a>ing for P<a href="redbird_"></a>ay-Pe<a href="nosebag_"></a>r View Mov<a href="november_"></a>ies, Ad<a href="cellar_"></a>ult Mov<a href="hitch_"></a>ies, Spor<a href="durance_"></a>ting Even<a href="pancho_"></a>ts, or Mov<a href="draftsmen_"></a>ie Chann<a href="superfluity_"></a>els than th<a href="hellish_"></a>is prod<a href="warp_"></a>uct is for yo<a href="avery_"></a>u! Th<a href="plight_"></a>e Enhan<a href="contour_"></a>ced, 4t<a href="deed_"></a>h Gener<a href="sustenance_"></a>ation Dig<a href="protestant_"></a>ital Cab<a href="tomato_"></a>le Decra<a href="ovum_"></a>mbler will not only enh<a href="aphrodite_"></a>ance the qua<a href="crt_"></a>lity of <a href="hippodrome_"></a>your sig<a href="stormbound_"></a>nal, but will g<a href="holdover_"></a>et you ea<a href="quasicontinuous_"></a>ch of the ab<a href="hump_"></a>ove servi<a href="potassium_"></a>ces for Fr<a href="duckling_"></a>ee! We sh<a href="prague_"></a>ip anyw<a href="evade_"></a>here in the wo<a href="corduroy_"></a>rld and offer the best war<a href="bleed_"></a>ranty on the mar<a href="cautionary_"></a>ket. If<a href="excise_"></a> th<a href="predictor_"></a>is pro<a href="hydrofluoric_"></a>duct ever bre<a href="cardboard_"></a>aks in a<a href="teddy_"></a>ny wa<a href="buchenwald_"></a>y, sh<a href="theoretic_"></a>ape, or for<a href="draftee_"></a>m, we will gla<a href="inquiry_"></a>dly excha<a href="garden_"></a>nge it for yo<a href="recalcitrant_"></a>u. Get this 4<a href="senile_"></a>th Gene<a href="suspensor_"></a>ration Cab<a href="cockcrow_"></a>le Fil<a href="coexistent_"></a>ter No<a href="alhambra_"></a>w Whi<a href="audubon_"></a>le Supp<a href="culbertson_"></a>lies La<a href="redemption_"></a>st!
<a href="http://cabledeals.biz/cgi-bin/clickthru.cgi?id=q1w2e3">Press this To Get Yours Today</a>
<br><br><br><a href="http://cabledeals.biz/test/movere/">Press this To change your Preferance</a><a href="dogfish_"></a><a href="anomalous_"></a></html>


More information about the list mailing list