New SPAM DOS

sthaug at nethelp.no sthaug at nethelp.no
Fri Jan 8 19:39:54 UTC 2010


> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
> services.  For some reason, someone decided to try and send this message
> out to various internet recipients:
...
> Anyone seen this before?  Any good techniques for combatting it?

If you look more closely at the messages I believe you'll find that
they are multipart/alternative, and that the second part gives a
slightly modified version of the owa URL. For instance, for my own
nethelp.no domain the first part of message says

http://nethelp.no/owa/...

but the second part specifies URLs like

http://nethelp.no.ujjikx.co.im/owa/...
http://nethelp.no.ujjiks.net.im/owa/...
http://nethelp.no.ikuu8w.com/owa/...
http://nethelp.no.ikuu8e.net/owa/...

This is a very old trick, seen lots of times in connection with
phishing sites, for instance.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no




More information about the NANOG mailing list