[Dshield] E-Mail Nusiance

Jonathan C. Webster jwebster03 at snet.net
Wed Feb 7 05:05:42 GMT 2007



stcarey at juno.com wrote:
> Since we block executables this postcard.e stuff is just a nusiance, however, one of the systems 
>we monitor shows the attempts for delivery and during a calm moment (not many of those), 
>I started looking at the header information.  What I notices is that that everyone of these 
>E-Mails that have heit my site have the same user agent - Thunderbird 1.5.0.9 and a 
>MIME - version of 1.0.  Seeing as I am getting about 1.0000+ a day, from about as many IP
>addresses, puts this in a different catagory (least to my thinking).  And that is a very sloppy 
>attack against my network (sloppy in the fact that they are sending executables). Does anyone see the
>same user agent on the same type of E-Mails? Stan Carey
> 

Yes, I see that too. I made a little collection of them.  The executables have several different MD5sums,
But they all show
$ grep User-Agent __card
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)

...

Jonathan



More information about the list mailing list