G
Gabriele Neukam
Hi all,
after receiving probably 150+ gibe infected mails, I thought, I know the
subjects very well.
But this one is different. The subject line contains a verb in past
tense. And the attachment name is inserted *twice* into the header lines
(even once is rare).
It is combined with a base64 encoding (well, this is something I think I
have already seen with some gibes), and one zipped attachment has been
reported here, too. But this zipping is extremely rare.
The header is:
| Return-Path: <ochandofresneda(at)supercable.es|
| Received: from smtp.supercable.es ([212.79.128.148]) by
mailin06.sul.t-online.de
| with esmtp id 19wqPY-1IU6WO0; Tue, 9 Sep 2003 23:52:32 +0200
| Received: from superyo (cliente-217217085086.uBRjaa01.supercable.es
[217.217.85.86])
| by smtp.supercable.es (Switch-2.0.1/Switch-2.0.1) with ESMTP id
h89LpIB17889;
| Tue, 9 Sep 2003 23:51:18 +0200 (MEST)
| From: "Jacinto Ochando Fresneda" <ochandofresneda(at)supercable.es|
| To: <expires.2003.08.31(at)egalwaat.lu|, <einstein1294(at)gmx.de|,
| <manni.heumann(at)gmx.de|, <ad1156(at)freenet.de|, <hooonk(at)
honk.com|,
| <spheredancer(at)gmx.de|, <postempfang(at)26231110.magik.de|,
| <fromline(at)26231110.magik.de|, <s.w(at)gmx.de|, <gabriele.neukam
(at)t-online.de|,
| <0d(at)usenet.kicks-ass.org|, <usenet-posting-73331-(at)
zocki.toppoint.de|,
| <postempfang(at)26222227.magik.de|, <fromline(at)26222227.magik.de|,
| <paul(at)lenz-online.de|, <oliver.ellermeier(at)t-online.de|,
<noreply(at)peek.de|,
| <gunde(at)inbox.ru|, <rainer.behrendt(at)gmx.net|, <12000heiko(at)
gmx.de|,
| <news(at)nico-schumacher.de|, <jens(at)heye-web.de|,
| <werner-ernst-wilhelm(at)freenet.de|, <nhoeppner(at)gmx.de|,
| <michael.jahns(at)gmx.de|, <wird.wenig.gelesen(at)gmx.net|,
| <happyboakonstriktor(at)hotmail.com|, <hp.fan(at)loop.de|,
| <sascha_loeffler(at)gmx.de|, <paul_030819(at)crazyweb.de|, <kreutzer
(at)tripple.at|,
| <m.lipke(at)web.de|, <johannes(at)beus.info|, <jan.schejbal_news(at)
gmx.de|,
| <gerhard.schromm(at)student.uni-ulm.de|,
| <s.kraus.exp010104.id0x0004(at)moscher.com|, <mlemke(at)gmx.de|,
<dirac(at)gmx.li|,
| <defox.dev.null(at)gmx.de|, <maerz03(at)rasender-killer.de|,
<theremix(at)web.de|,
| <usenet(at)gollum.sytes.net|, <danam082003.to.roewer(at)xoxy.net|,
| <roewer(at)xoxy.net|, <pereg(at)gmx.de|, <wolke77(at)wolke7.net|,
| <markus.bellmann(at)hamburg.de|, <bellmex(at)gmx.de|, <gudrun-f(at)
t-online.de|,
| <thomas.lahr(at)t-online.de|, <mikoenig(at)web.de|,
| <u_danam_r(at)expires-200308.docsnyder.de|,
| <u_danam_f(at)expires-200308.docsnyder.de|,
| <dominik.ruf(at)stud.uni-karlsruhe.de|, <usenet0803(at)on-topic.de|,
| <gerhard(at)brue.net|, <krasnoj(at)gmx.at|, <unger(at)decus.de|, <ng
(at)musch.de|,
| <puschl(at)puschl.at|, <chris(at)chris-kurbjuhn.de|, <nutznetz(at)
chris-kurbjuhn.de|,
| <deiszner(at)web.de|, <braun(at)abatron.de|
| Subject: FW: Try this patch which came from the Microsoft
| Date: Tue, 9 Sep 2003 23:51:24 +0200
| Message-ID: <003101c3771c$832e8700$5655d9d9(at)superyo|
| MIME-Version: 1.0
| X-Priority: 3 (Normal)
| X-MSMail-Priority: Normal
| X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2776.0)
| Importance: Normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| X-Seen: false
| Content-Type: application/x-zip-compressed;
| name="P349728.zip"
| Content-Transfer-Encoding: base64
| Content-Disposition: attachment;
| filename="P349728.zip"
I know where some of these addresses (in which I replaced the at sign to
avoid renewed harvesting) have been harvested from, it is a German anti-
spam newsgroup.
This of course makes it suspicious. It could be a revenge. But there is
no proof. Or does any expert know how to identify it as "real" or
"fake"?
Gabriele Neukam
(e-mail address removed)
after receiving probably 150+ gibe infected mails, I thought, I know the
subjects very well.
But this one is different. The subject line contains a verb in past
tense. And the attachment name is inserted *twice* into the header lines
(even once is rare).
It is combined with a base64 encoding (well, this is something I think I
have already seen with some gibes), and one zipped attachment has been
reported here, too. But this zipping is extremely rare.
The header is:
| Return-Path: <ochandofresneda(at)supercable.es|
| Received: from smtp.supercable.es ([212.79.128.148]) by
mailin06.sul.t-online.de
| with esmtp id 19wqPY-1IU6WO0; Tue, 9 Sep 2003 23:52:32 +0200
| Received: from superyo (cliente-217217085086.uBRjaa01.supercable.es
[217.217.85.86])
| by smtp.supercable.es (Switch-2.0.1/Switch-2.0.1) with ESMTP id
h89LpIB17889;
| Tue, 9 Sep 2003 23:51:18 +0200 (MEST)
| From: "Jacinto Ochando Fresneda" <ochandofresneda(at)supercable.es|
| To: <expires.2003.08.31(at)egalwaat.lu|, <einstein1294(at)gmx.de|,
| <manni.heumann(at)gmx.de|, <ad1156(at)freenet.de|, <hooonk(at)
honk.com|,
| <spheredancer(at)gmx.de|, <postempfang(at)26231110.magik.de|,
| <fromline(at)26231110.magik.de|, <s.w(at)gmx.de|, <gabriele.neukam
(at)t-online.de|,
| <0d(at)usenet.kicks-ass.org|, <usenet-posting-73331-(at)
zocki.toppoint.de|,
| <postempfang(at)26222227.magik.de|, <fromline(at)26222227.magik.de|,
| <paul(at)lenz-online.de|, <oliver.ellermeier(at)t-online.de|,
<noreply(at)peek.de|,
| <gunde(at)inbox.ru|, <rainer.behrendt(at)gmx.net|, <12000heiko(at)
gmx.de|,
| <news(at)nico-schumacher.de|, <jens(at)heye-web.de|,
| <werner-ernst-wilhelm(at)freenet.de|, <nhoeppner(at)gmx.de|,
| <michael.jahns(at)gmx.de|, <wird.wenig.gelesen(at)gmx.net|,
| <happyboakonstriktor(at)hotmail.com|, <hp.fan(at)loop.de|,
| <sascha_loeffler(at)gmx.de|, <paul_030819(at)crazyweb.de|, <kreutzer
(at)tripple.at|,
| <m.lipke(at)web.de|, <johannes(at)beus.info|, <jan.schejbal_news(at)
gmx.de|,
| <gerhard.schromm(at)student.uni-ulm.de|,
| <s.kraus.exp010104.id0x0004(at)moscher.com|, <mlemke(at)gmx.de|,
<dirac(at)gmx.li|,
| <defox.dev.null(at)gmx.de|, <maerz03(at)rasender-killer.de|,
<theremix(at)web.de|,
| <usenet(at)gollum.sytes.net|, <danam082003.to.roewer(at)xoxy.net|,
| <roewer(at)xoxy.net|, <pereg(at)gmx.de|, <wolke77(at)wolke7.net|,
| <markus.bellmann(at)hamburg.de|, <bellmex(at)gmx.de|, <gudrun-f(at)
t-online.de|,
| <thomas.lahr(at)t-online.de|, <mikoenig(at)web.de|,
| <u_danam_r(at)expires-200308.docsnyder.de|,
| <u_danam_f(at)expires-200308.docsnyder.de|,
| <dominik.ruf(at)stud.uni-karlsruhe.de|, <usenet0803(at)on-topic.de|,
| <gerhard(at)brue.net|, <krasnoj(at)gmx.at|, <unger(at)decus.de|, <ng
(at)musch.de|,
| <puschl(at)puschl.at|, <chris(at)chris-kurbjuhn.de|, <nutznetz(at)
chris-kurbjuhn.de|,
| <deiszner(at)web.de|, <braun(at)abatron.de|
| Subject: FW: Try this patch which came from the Microsoft
| Date: Tue, 9 Sep 2003 23:51:24 +0200
| Message-ID: <003101c3771c$832e8700$5655d9d9(at)superyo|
| MIME-Version: 1.0
| X-Priority: 3 (Normal)
| X-MSMail-Priority: Normal
| X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2776.0)
| Importance: Normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| X-Seen: false
| Content-Type: application/x-zip-compressed;
| name="P349728.zip"
| Content-Transfer-Encoding: base64
| Content-Disposition: attachment;
| filename="P349728.zip"
I know where some of these addresses (in which I replaced the at sign to
avoid renewed harvesting) have been harvested from, it is a German anti-
spam newsgroup.
This of course makes it suspicious. It could be a revenge. But there is
no proof. Or does any expert know how to identify it as "real" or
"fake"?
Gabriele Neukam
(e-mail address removed)