I think this message is just spam, and not something nefarious, but
amavisd flagged it as BANNED due to an exe. Can anyone tell if this
really was malware?
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-ID: <lGMnl3xEtzBg>
X-Amavis-Alert: BANNED, message contains part: text/plain,.exe
X-Spam-Flag: YES
X-Spam-Score: 32.294
X-Spam-Level: ********************************
X-Spam-Status: Yes, score=32.294 tag=-99 tag2=4.5 kill=6.31
tests=[BODY_8BITS=1.5, BOTNET_BADDNS=0.01, BOTNET_CLIENT=0.01,
BOTNET_CLIENTWORDS=0, BOTNET_IPINHOSTNAME=0, BOTNET_W=2,
CHARSET_FARAWAY=3.2, CHARSET_FARAWAY_HEADER=3.2,
DKIM_POLICY_SIGNSOME=0, L_P0F_UNKN=0.8, L_UNVERIFIED_YAHOO=2.5,
MIME_CHARSET_FARAWAY=2.45, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5,
RCVD_IN_BL_SPAMCOP_NET=2.188, RCVD_IN_PBL=0.509,
RCVD_IN_SORBS_DUL=1.615, RCVD_IN_SORBS_WEB=1.117,
RCVD_IN_XBL=2.896,
RDNS_NONE=0.1, TVD_SPACE_RATIO=2.899,
UNWANTED_LANGUAGE_BODY=2.8]
X-Amavis-OS-Fingerprint: UNKNOWN [65535:49:1:52:M1440,N,W2,N,N,S:.:?:?],
(link: IPv6/IPIP)
Received: from sa.austinenergy.com ([127.0.0.1])
by localhost (sa.austinenergy.com [127.0.0.1]) (amavisd-new,
port 10025)
with LMTP id lGMnl3xEtzBg for <[EMAIL PROTECTED]>;
Mon, 25 Jun 2007 22:36:18 -0500 (CDT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.5
Received: from yahoo.com.cn (unknown [121.35.200.235])
by sa.austinenergy.com (Postfix) with ESMTP id 00852BFF
for <[EMAIL PROTECTED]>; Mon, 25 Jun 2007 22:36:10 -0500
(CDT)
From: =?GB2312?B?ysC8zbmry74=?= <[EMAIL PROTECTED]>
Subject: =?GB2312?B?tPqh+r+qt6Kh+saxLw==?=
To: [EMAIL PROTECTED]
Content-Type: text/plain;charset="GB2312"
Content-Transfer-Encoding: 8bit
The file command does evaluate the text as executable:
[EMAIL PROTECTED] ~]$ file foo2.txt
foo2.txt: COM executable for DOS
The content appears to be just text: a greeting, a paragraph, and an
email for more information:
[EMAIL PROTECTED] ~]$ cat -v foo2.txt
M-8M-:M-TM-pM-HM-K/;
M-NM-RM-KM->M-?M-IM-RM-TM-OM-rM-MM-bM-LM-aM-9M-)M-6M-`M-SM-`M-!
M-6M-!M-!M-KM-0~~M-FM-1M-!M-!M-!M-7M->M-_M-LM-eM-SM-PM-#M-:M-IM-LM-RM-5
M-!M-"M-9M-$M-RM-5M-!M-"M-=M-(M-VM-~M-0M-2M-WM-0M-!
M-"M-FM-dM-KM-{M-7M-~M-NM-qM-!M-"M-9M-cM-8M-fM-!M-"M-WM-bM-AM-^ M-!
M-"M-2M-MM-RM-{M-6M-(M-6M-n M-!M-"
M-9M-zM-<M-JM-:M-#M-TM-KM-!
M-"M-9M-zM-DM-ZM-TM-KM-JM-dM-5M-HM-7M-"~M-FM-1M-5M-HM-!
M-#M-FM-UM-MM-(M-KM-0~~M-FM-1M-OM-jM-OM-8M-KM-0M-BM-JM-?M-IM-8M-y
M->M-]M-5M-XM-GM-xM-!M-"M-PM-PM-RM-5M-!M-"M-FM-1M-6M-nM-4M-sM-PM-!
M-IM-LM-LM-8!
M-NM-RM-KM->M-SM-kM-HM-+M-9M-zM-8M-wM-5M-XM-GM-xM-8M-wM-PM-PM-RM-5M-5M-DM-9M-+M-KM->M-SM-PM-7M-"[EMAIL
PROTECTED]
M-AM-*M-OM-5M-5M-gM-;M-0: 13798217166 M-PM-mM-OM-HM-IM-z
M-5M-gM-WM-SM-SM-JM-OM-d: [EMAIL PROTECTED]
[EMAIL PROTECTED] ~]$ hexdump foo2.txt
0000000 bab8 f0d4 cbc8 3b2f 200a 2020 ce20 cbd2
0000010 bfbe d2c9 cfd4 cdf2 cce2 b9e1 b6a9 d3e0
0000020 a1e0 a1b6 cba1 7eb0 c67e a1b1 a1a1 beb7
0000030 ccdf d3e5 a3d0 c9ba d2cc 0ab5 a2a1 a4b9
0000040 b5d2 a2a1 a8bd fed6 b2b0 b0d7 a2a1 e4c6
0000050 fbcb feb7 f1ce a2a1 e3b9 e6b8 a2a1 e2d7
0000060 dec1 a120 b2a2 d2cd b6fb b6a8 20ee a2a1
0000070 b90a bcfa baca d4a3 a1cb b9a2 c4fa d4da
0000080 cacb b5e4 b7c8 7ea2 b1c6 c8b5 a3a1 d5c6
0000090 a8cd b0cb 7e7e b1c6 eacf b8cf b0cb cac2
00000a0 c9bf f9b8 be0a b5dd c7d8 a1f8 d0a2 d2d0
00000b0 a1b5 c6a2 b6b1 b4ee d0f3 c9a1 cccc 21b8
00000c0 0a0a 2020 ce20 cbd2 d3be c8eb b9ab b8fa
00000d0 b5f7 c7d8 b8f8 d0f7 d2d0 b5b5 b9c4 cbab
00000e0 d3be b7d0 c6a2 d2b1 ceb5 c0f1 cdb4 a1f9
00000f0 0aa3 c10a cfaa b5b5 bbe7 3ab0 3120 3733
0000100 3839 3132 3137 3636 2020 d020 cfed c9c8
0000110 0afa e7b5 d3d7 cad3 e4cf 203a 7578 6168
0000120 6669 6e65 3667 3838 3140 3632 632e 6d6f
0000130 2020 000a
0000133
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
