New SPAM DOS
sthaug at nethelp.no
sthaug at nethelp.no
Fri Jan 8 19:39:54 UTC 2010
> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
> services. For some reason, someone decided to try and send this message
> out to various internet recipients:
...
> Anyone seen this before? Any good techniques for combatting it?
If you look more closely at the messages I believe you'll find that
they are multipart/alternative, and that the second part gives a
slightly modified version of the owa URL. For instance, for my own
nethelp.no domain the first part of message says
http://nethelp.no/owa/...
but the second part specifies URLs like
http://nethelp.no.ujjikx.co.im/owa/...
http://nethelp.no.ujjiks.net.im/owa/...
http://nethelp.no.ikuu8w.com/owa/...
http://nethelp.no.ikuu8e.net/owa/...
This is a very old trick, seen lots of times in connection with
phishing sites, for instance.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the NANOG
mailing list