What IS this?

Had an email waiting when I got home just a little while ago that looked pretty weird.

Instead of just deleting it out-of-hand, I allowed OE to d/l it through Benign. (Benign didn't strip anything out of the email before letting it through). But it doesn't really look like there's anything in the email besides the header stuff (which doesn't make a whole lot of sense).

This is the "Details" info:

Received: from mail.comporium.net by b9 for xjhci.cnciy@yahoo.com
   (applied security profile: High) at Wed, 25 Jun 2003 16:54:24 -0500
Return-path: <xjhci.cnciy@yahoo.com>
Received: from psmtp.com ([12.158.34.153])
by InfoAve.Net (PMDF V6.1-1IA5 #30772)
with SMTP id [personal data edited out]
(ORCPT [personal data edited out]); Wed, 25 Jun 2003 14:34:20 -0400 (EDT)
Received: from source ([195.157.215.49]) by exprod5mx13.postini.com
([12.158.34.245]) with SMTP; Wed, 25 Jun 2003 11:34:06 -0700 (PDT)
Received: from 237.208.206.77 ([219.91.101.97])
by 21cserver.21stcenturyservices.co.uk with Microsoft SMTPSVC(5.0.2195.4453)
; Wed, 25 Jun 2003 19:27:17 +0100
Date: Thu, 26 Jun 2003 02:32:55 +0800
From: =?Big5?B?VKbmvlCxTa5hVA==?= <xjhci.cnciy@yahoo.com>
Subject: =?Big5?B?uvS49KtQvlCnQaazpECuTQ==?=
Sender: =?UNKNOWN?B?aaaaaaaaaaaaaaaa?= <xjhci.cnciy@yahoo.com>
To: sppd01 <[personal data edited out]>
Reply-to: xjhci.cnciy@yahoo.com
Message-id: <21CSERVER9tASujKU3P0001bb14@21cserver.21stcenturyservices.co.uk>
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
Original-recipient: rfc822;[personal data edited out]
X-OriginalArrivalTime: 25 Jun 2003 18:27:25.0166 (UTC)
FILETIME=[6CDD38E0:01C33B47]
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="b9_multipart_boundary_0=_"

and this is the "Message Source":

Received: from mail.comporium.net by b9 for xjhci.cnciy@yahoo.com
   (applied security profile: High) at Wed, 25 Jun 2003 16:54:24 -0500
Return-path: <xjhci.cnciy@yahoo.com>
Received: from psmtp.com ([12.158.34.153])
by InfoAve.Net (PMDF V6.1-1IA5 #30772)
with SMTP id <[personal data edited out]> for [personal data edited out]
(ORCPT [personal data edited out]); Wed, 25 Jun 2003 14:34:20 -0400 (EDT)
Received: from source ([195.157.215.49]) by exprod5mx13.postini.com
([12.158.34.245]) with SMTP; Wed, 25 Jun 2003 11:34:06 -0700 (PDT)
Received: from 237.208.206.77 ([219.91.101.97])
by 21cserver.21stcenturyservices.co.uk with Microsoft SMTPSVC(5.0.2195.4453)
; Wed, 25 Jun 2003 19:27:17 +0100
Date: Thu, 26 Jun 2003 02:32:55 +0800
From: =?Big5?B?VKbmvlCxTa5hVA==?= <xjhci.cnciy@yahoo.com>
Subject: =?Big5?B?uvS49KtQvlCnQaazpECuTQ==?=
Sender: =?UNKNOWN?B?aaaaaaaaaaaaaaaa?= <xjhci.cnciy@yahoo.com>
To: sppd01 <sppd01@ms9.hinet.net>
Reply-to: xjhci.cnciy@yahoo.com
Message-id: <21CSERVER9tASujKU3P0001bb14@21cserver.21stcenturyservices.co.uk>
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
Original-recipient: rfc822;[personal data edited out]
X-OriginalArrivalTime: 25 Jun 2003 18:27:25.0166 (UTC)
FILETIME=[6CDD38E0:01C33B47]
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="b9_multipart_boundary_0=_"

--b9_multipart_boundary_0=_--

and it looks like this when you open it in OE (see screenie).

Is this some new kind of exploit, or what? Nothing let out a peep as far as defensive programs - not NOD, not TDS, not Benign.

Very puzzling. Pete

[personal data edited out above]

 

hmmm,

The message is in Chinese using Big5 encoding, one thing I noticed is the error indicating too long a line for SMTP. It may be that an intentional Outlook vulnerability (or for that matter, SMTP daemon vuln) was tried and there is protection against it enabeled on the receiving SMTP server but that is highly speculative. I am sure about the Chinese though.

Dan

 

...actually, looking at it a bit closer, the source SMTP server truncated the message as it is a PMDF-SMTP error

 

LOL, your penpal needs to upgrade to 2.1 or greater version of FlexMail, see

http://www.tacweb.com/support/flexmail/FAQ.html#SMTP

It's odd though as that appears to be solely a formmail tool for web sites. Still, kinda funny

 

Without trying to be paranoid, it seems a little hinky to me that two such messages were sent less than two seconds apart (did I forget to mention that part? ).

"Details":

Received: from mail.comporium.net by b9 for aa6v9.8b7am@hotmail.com
   (applied security profile: High) at Wed, 25 Jun 2003 16:54:26 -0500
Return-path: <aa6v9.8b7am@hotmail.com>
Received: from psmtp.com ([12.158.34.238])
by InfoAve.Net (PMDF V6.1-1IA5 #38780)
with SMTP id [personal data edited out]
(ORCPT [personal data edited out]); Wed, 25 Jun 2003 14:35:09 -0400 (EDT)
Received: from source ([211.94.133.146]) by exprod5mx58.postini.com
([12.158.34.245]) with SMTP; Wed, 25 Jun 2003 12:35:06 -0600 (MDT)
Received: from 237.208.206.77([219.91.101.97])
by test.cumail.com.cn(AIMC 2.9.5.1)   with SMTP id jm03efa2a63; Thu,
26 Jun 2003 02:34:52 +0800
Date: Thu, 26 Jun 2003 02:34:25 +0800
From: =?Big5?B?RabmvlCxTa5hRQ==?= <aa6v9.8b7am@hotmail.com>
Subject: =?Big5?B?U0FSU7lMpEYstLqu8K1upnCm87RftWSpTz8=?=
Sender: =?UNKNOWN?B?aaaaaaaaaaaaaaaa?= <aa6v9.8b7am@hotmail.com>
To: [personal data edited out]
Reply-to: aa6v9.8b7am@hotmail.com
Message-id: <xT969373976547.16152@uimap>
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
X-AIMC-AUTH: (null)
X-AIMC-MAILFROM: aa6v9.8b7am@hotmail.com
Original-recipient: rfc822;[personal data edited out]
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="b9_multipart_boundary_0=_"

"Message Source"

Received: from mail.comporium.net by b9 for aa6v9.8b7am@hotmail.com
   (applied security profile: High) at Wed, 25 Jun 2003 16:54:26 -0500
Return-path: <aa6v9.8b7am@hotmail.com>
Received: from psmtp.com ([12.158.34.238])
by InfoAve.Net (PMDF V6.1-1IA5 #38780)
with SMTP id [personal data edited out]
(ORCPT [personal data edited out]); Wed, 25 Jun 2003 14:35:09 -0400 (EDT)
Received: from source ([211.94.133.146]) by exprod5mx58.postini.com
([12.158.34.245]) with SMTP; Wed, 25 Jun 2003 12:35:06 -0600 (MDT)
Received: from 237.208.206.77([219.91.101.97])
by test.cumail.com.cn(AIMC 2.9.5.1)   with SMTP id jm03efa2a63; Thu,
26 Jun 2003 02:34:52 +0800
Date: Thu, 26 Jun 2003 02:34:25 +0800
From: =?Big5?B?RabmvlCxTa5hRQ==?= <aa6v9.8b7am@hotmail.com>
Subject: =?Big5?B?U0FSU7lMpEYstLqu8K1upnCm87RftWSpTz8=?=
Sender: =?UNKNOWN?B?aaaaaaaaaaaaaaaa?= <aa6v9.8b7am@hotmail.com>
To: [personal data edited out]
Reply-to: aa6v9.8b7am@hotmail.com
Message-id: <xT969373976547.16152@uimap>
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
X-AIMC-AUTH: (null)
X-AIMC-MAILFROM: aa6v9.8b7am@hotmail.com
Original-recipient: rfc822;[personal data edited out]
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="b9_multipart_boundary_0=_"

--b9_multipart_boundary_0=_--


I'm going to try to capture the output from MailWasher if I get anymore - the message displayed completely differently in MailWashers' window than it did in OE (it was either Chinese or code - sorry, I didn't think it was going to look different in OE, so I didn't do a screenshot in MW).

Thanks for the response, Dan. Pete

[personal data edited out above]

 

well, as is, I don't think there is any problem with it but what was intended? It could just be a mass mailer that went wrong. THe FAQ link I pointed to above points out that multi-attachment messages would be separated into separate emails so that would account for the two messages in quick succession. It may be a coding error in the form mailer that resulted in the loss of the two attachments (or more likely, the false impression that there were attachements at all). All highly speculative and thus good fun!

 

Got another one this morning.This is from MW:

Return-path: <iaf7x.3nl01@yahoo.com>
Received: from psmtp.com ([12.158.34.182])
by InfoAve.Net (PMDF V6.1-1IA5 #30772)
with SMTP id <01KXJOI4QBDIAM41W5@InfoAve.Net> for spy1@InfoAve.Net
(ORCPT gosp@myourself); Thu, 26 Jun 2003 09:59:06 -0400 (EDT)
Received: from source ([66.215.162.242]) by exprod5mx27.postini.com
([12.158.34.245]) with SMTP; Thu, 26 Jun 2003 08:59:05 -0500 (CDT)
Received: from 193.250.201.188 ([219.91.89.91]) by JARED-SERVER with Microsoft
SMTPSVC(5.0.2195.5329); Thu, 26 Jun 2003 06:59:47 -0700
Date: Thu, 26 Jun 2003 21:58:18 +0800
From: =?Big5?B?WbL8xPWrzlk=?= <iaf7x.3nl01@yahoo.com>
Subject:
=?big5?B?w/ak37F6oUmyTbdzqsWu8CC0o6pApc2soat+vegyMDAzLzYvMjYgpFWkyCAwOS==?=
=?big5?B?OjU4OjExIHNwd3d3IDxzcHd3d0BtczcuaGluZXQubmV0Pm==?=
Sender: =?UNKNOWN?B?rrrrrrrrrrrr?= <iaf7x.3nl01@yahoo.com>
To: spwww <spwww@ms7.hinet.net>
Reply-to: iaf7x.3nl01@yahoo.com
Message-id: <JARED-SERVER7q4xpyX000037fa@JARED-SERVER>
MIME-version: 1.0
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook, Build 10.0.2627
Content-type: multipart/alternative; charset=BIG-5;
boundary="=_NextPart_2rfkindysadvnqw3nerasdf"
Content-transfer-encoding: quoted-printable
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
Original-recipient: rfc822;gosp@myourself
X-OriginalArrivalTime: 26 Jun 2003 13:59:48.0781 (UTC)
FILETIME=[34ED0DD0:01C33BEB]

This is a multi-part message in MIME format

--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
charset="BIG-5"


--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/html
Content-Transfer-Encoding: 7bit
charset="BIG-5"

<!-- mUTBNT--> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>UV Air Cleaner</title> <meta http-equiv="Content-Type" content="text/html; charset=big5"> <style> <!-- #fps0 {font-size:10pt;} --> </style> </head> <body bgcolor="#FFFFFF"> <table width=640 border=1 cellpadding=0 cellspacing=0 bordercolor=#009900> <tr> <td><img src=http://www.dutchhouse.com.tw/uvair/head.gif width=640 height=180>
<table width=620 border=0 align=center cellpadding=0 cellspacing=0> <tr> <td height=10></td> </tr> <tr> <td><img src=http://www.dutchhouse.com.tw/uvair/product1.gif width=245 height=149><img src=http://www.dutchhouse.com.tw/uvair/product2.gif width=202 height=149><img src=http://www.dutchhouse.com.tw/uvair/product3.gif width=173 height=149></td> </tr> <tr> <td height=4></td> </tr> <tr> <td><table width=620 border=0 cellspacing=0 cellpadding=0> <tr>

--=_NextPart_2rfkindysadvnqw3nerasdf--


Note the "To:" address: (screenshot)

OE "Details":

Return-path: <iaf7x.3nl01@yahoo.com>
Received: from psmtp.com ([12.158.34.182])
by InfoAve.Net (PMDF V6.1-1IA5 #30772)
with SMTP id <01KXJOI4QBDIAM41W5@InfoAve.Net> for spy1@InfoAve.Net
(ORCPT gosp@myourself); Thu, 26 Jun 2003 09:59:06 -0400 (EDT)
Received: from source ([66.215.162.242]) by exprod5mx27.postini.com
([12.158.34.245]) with SMTP; Thu, 26 Jun 2003 08:59:05 -0500 (CDT)
Received: from 193.250.201.188 ([219.91.89.91]) by JARED-SERVER with Microsoft
SMTPSVC(5.0.2195.5329); Thu, 26 Jun 2003 06:59:47 -0700
Date: Thu, 26 Jun 2003 21:58:18 +0800
From: =?Big5?B?WbL8xPWrzlk=?= <iaf7x.3nl01@yahoo.com>
Subject:
=?big5?B?w/ak37F6oUmyTbdzqsWu8CC0o6pApc2soat+vegyMDAzLzYvMjYgpFWkyCAwOS==?=
=?big5?B?OjU4OjExIHNwd3d3IDxzcHd3d0BtczcuaGluZXQubmV0Pm==?=
Sender: =?UNKNOWN?B?rrrrrrrrrrrr?= <iaf7x.3nl01@yahoo.com>
To: spwww <spwww@ms7.hinet.net>
Reply-to: iaf7x.3nl01@yahoo.com
Message-id: <JARED-SERVER7q4xpyX000037fa@JARED-SERVER>
MIME-version: 1.0
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook, Build 10.0.2627
Content-type: multipart/alternative; charset=BIG-5;
boundary="=_NextPart_2rfkindysadvnqw3nerasdf"
Content-transfer-encoding: quoted-printable
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
Original-recipient: rfc822;gosp@myourself
X-OriginalArrivalTime: 26 Jun 2003 13:59:48.0781 (UTC)
FILETIME=[34ED0DD0:01C33BEB]

OE "Message Source":
Return-path: <iaf7x.3nl01@yahoo.com>
Received: from psmtp.com ([12.158.34.182])
by InfoAve.Net (PMDF V6.1-1IA5 #30772)
with SMTP id <01KXJOI4QBDIAM41W5@InfoAve.Net> for spy1@InfoAve.Net
(ORCPT gosp@myourself); Thu, 26 Jun 2003 09:59:06 -0400 (EDT)
Received: from source ([66.215.162.242]) by exprod5mx27.postini.com
([12.158.34.245]) with SMTP; Thu, 26 Jun 2003 08:59:05 -0500 (CDT)
Received: from 193.250.201.188 ([219.91.89.91]) by JARED-SERVER with Microsoft
SMTPSVC(5.0.2195.5329); Thu, 26 Jun 2003 06:59:47 -0700
Date: Thu, 26 Jun 2003 21:58:18 +0800
From: =?Big5?B?WbL8xPWrzlk=?= <iaf7x.3nl01@yahoo.com>
Subject:
=?big5?B?w/ak37F6oUmyTbdzqsWu8CC0o6pApc2soat+vegyMDAzLzYvMjYgpFWkyCAwOS==?=
=?big5?B?OjU4OjExIHNwd3d3IDxzcHd3d0BtczcuaGluZXQubmV0Pm==?=
Sender: =?UNKNOWN?B?rrrrrrrrrrrr?= <iaf7x.3nl01@yahoo.com>
To: spwww <spwww@ms7.hinet.net>
Reply-to: iaf7x.3nl01@yahoo.com
Message-id: <JARED-SERVER7q4xpyX000037fa@JARED-SERVER>
MIME-version: 1.0
X-MIMEOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook, Build 10.0.2627
Content-type: multipart/alternative; charset=BIG-5;
boundary="=_NextPart_2rfkindysadvnqw3nerasdf"
Content-transfer-encoding: quoted-printable
X-Priority: 2
PMDF-SMTP-Warning: Lines longer than SMTP allows found and truncated.
X-Library: Dynamailer*******N
Original-recipient: rfc822;gosp@myourself
X-OriginalArrivalTime: 26 Jun 2003 13:59:48.0781 (UTC)
FILETIME=[34ED0DD0:01C33BEB]

This is a multi-part message in MIME format

--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
charset="BIG-5"



__________ NOD32 1.445 (20030625) Information __________

This message was checked by NOD32 Antivirus System.
http://www.nod32.com


--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/html
Content-Transfer-Encoding: 7bit
charset="BIG-5"

<!-- mUTBNT--> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>UV Air Cleaner</title> <meta http-equiv="Content-Type" content="text/html; charset=big5"> <style> <!-- #fps0 {font-size:10pt;} --> </style> </head> <body bgcolor="#FFFFFF"> <table width=640 border=1 cellpadding=0 cellspacing=0 bordercolor=#009900> <tr> <td><img src=http://www.dutchhouse.com.tw/uvair/head.gif width=640 height=180>
<table width=620 border=0 align=center cellpadding=0 cellspacing=0> <tr> <td height=10></td> </tr> <tr> <td><img src=http://www.dutchhouse.com.tw/uvair/product1.gif width=245 height=149><img src=http://www.dutchhouse.com.tw/uvair/product2.gif width=202 height=149><img src=http://www.dutchhouse.com.tw/uvair/product3.gif width=173 height=149></td> </tr> <tr> <td height=4></td> </tr> <tr> <td><table width=620 border=0 cellspacing=0 cellpadding=0> <tr>

--=_NextPart_2rfkindysadvnqw3nerasdf-- "

Think you're right, Dan - seems to be just a mis-firing (and/or poorly written) mass mailing attempt. This one wasn't even addressed to me and I got it (maybe they're refining it as they go?).

The "spy1@InfoAve.net" stuff is surprising since I don't have that email address (unless my ISP, Comporium, gave it to me without telling me about it). I'll have to check on that sometime today. Pete


edited out valid addies

 

Forgot the screenshot.