Distributed spam attack

Joseph Brennan brennan at columbia.edu
Mon Dec 15 15:57:40 GMT 2003


We have over 350 Spamcop reports this morning.

A spammer with URLs that may be in China staged a big distributed
spam run this weekend using a large network of compromised PCs.
URLs in text: www.rx357.com, www.2004hosting.org, www.2004hosting.net.
Can people at other places resolve those names and connect?  I can't.
China has interfered with connections from Columbia U before.

The spam run was preceded by scans to port 65506/tcp of no known
significance at the time we saw them.  About a dozen students'
Windows boxes that had been scanned were used this weekend in
the spam run.  On Google I see many other examples sent from IPs
in many domains.  Sample message below.  All this for a penny-ante
cable descrambler product?  Or is there more to it, if you can
open the web page?

Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu




Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12=
51">
<META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<font color=3D"white">convolve delectable agamemnon cabinetry resume talen=
t pauline philosoph shopkeep horatio signet wiry gases brett=20</font><br>=

<body>

<p>Th</earthshaking>e ul</berry>timate d</feint>igital
ca</derbyshire>ble f</nocturnal>ilter</p>
<p>Th</betty>e fil</z's>ter wi</simpleminded>ll al</writ>low
yo</surveillant>u t</hobart>o rec</flux>eive a</toolkit>ll
t</draw>he ch</redbird>annels t</monic>hat y</niacin>ou
or</tote>der wi</actinolite>th y</aqua>our r</marque>emove
cont</washbasin>rol!</p>
<p>pay</slice>perviews, adu</inspiration>lt mov</stephanotis>ies,s</brockl=
e>port
even</voss>ts,s</embattle>pecial ev</nolo>ents!
<a href=3D"http://www.2004hosting.net/cable/">
se</indigo>e n</cairn>ow!</a></p><p>
<a href=3D"http://www.2004hosting.net/cable/">
<img %RANDOM_TEXT border=3D"0"
src=3D"http://www.2004hosting.net/fiter.jpg"></a></p>

<br>
<font color=3D"white">befogging denial ferromagnet neoconservative amman c=
himeric commission healthy baleen e lourdes angelo heard beryl buchwald cl=
ark=20</font>
</BODY>
</HTML>





---------- End Forwarded Message ----------




More information about the unisog mailing list