RE: [Declude.JunkMail] New Spam
Here are two links from antivirus vendors that describe the template the
Storm botnet has been putting out. These should be very useful in
crafting regexp to catch them all based on their body text.
<http://www.f-secure.com/weblog/#1255>
http://www.f-secure.com/weblog/#1255
<http://www.symantec.com/enterprise/security_response/weblog/2007/08/new
_storm_front_moving_in.html>
http://www.symantec.com/enterprise/security_response/weblog/2007/08/new_
storm_front_moving_in.html
Caveat: I've no idea how long this information will remain valid.
Andrew.
> -Original Message-
> From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]>
mailto:[EMAIL PROTECTED] On
> Behalf Of David Barker
> Sent: Wednesday, August 22, 2007 8:54 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] New Spam
>
> Updated filter line to:
>
> (?i:(Click|login|link).{0,50}
http://((?:25[0-5]|2[0-4][0-9]|[0
> 1]?[0-9][0-9]?
> )\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))
>
> -Original Message-
> From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]>
mailto:[EMAIL PROTECTED] On
> Behalf Of David
> Barker
> Sent: Tuesday, August 21, 2007 10:14 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] New Spam
>
> Thanks :) Much appreciated.
>
> -Original Message-
> From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]>
mailto:[EMAIL PROTECTED] On Behalf Of
> SJ.Stanaitis
> Sent: Tuesday, August 21, 2007 9:57 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] New Spam
>
> Just something I've been meaning to say for a bit.
>
> Declude RULES.
>
> Thanks David!
> --SJ
>
> -Original Message-
> From: [EMAIL PROTECTED] [ <mailto:[EMAIL PROTECTED]>
mailto:[EMAIL PROTECTED] On
> Behalf Of David
> Barker
> Sent: Tuesday, August 21, 2007 9:39 AM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] New Spam
>
> Filter Line:
>
> BODY 10 PCRE(?i:(Click|login|link).{0,50}
>
http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-
> 5]|2[0-4][0-9]
> |[01]?[0-9][0-9]?))
>
> Example Below:
>
> Welcome Member,
>
> Thank You for Joining Poker World.
>
> Membership Number: 3398118525
> Temp Login ID: user3668
> Your Password ID: di150
>
> Please keep your account secure by logging in and changing
> your login info.
>
> Use this link to change your Login info: <http://85.113.198.210/>
http://85.113.198.210/
>
> Thank You,
> Welcome Department
> Poker World
>
>
> David Barker
> VP Operations | Declude
> Your Email Security is our business
> O: 978.499.2933 x7007
> F: 978.988.1311
> E: [EMAIL PROTECTED]
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at <http://www.mail-archive.com> http://www.mail-archive.com.
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at <http://www.mail-archive.com> http://www.mail-archive.com.
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at <http://www.mail-archive.com> http://www.mail-archive.com.
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at <http://www.mail-archive.com> http://www.mail-archive.com.
>
>
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Spam
Updated filter line to:
(?i:(Click|login|link).{0,50}http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?
)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 21, 2007 10:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Thanks :) Much appreciated.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Tuesday, August 21, 2007 9:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Just something I've been meaning to say for a bit.
Declude RULES.
Thanks David!
--SJ
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 21, 2007 9:39 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New Spam
Filter Line:
BODY10 PCRE(?i:(Click|login|link).{0,50}
http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]
|[01]?[0-9][0-9]?))
Example Below:
Welcome Member,
Thank You for Joining Poker World.
Membership Number: 3398118525
Temp Login ID: user3668
Your Password ID: di150
Please keep your account secure by logging in and changing your login info.
Use this link to change your Login info: http://85.113.198.210/
Thank You,
Welcome Department
Poker World
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Spam
Thanks :) Much appreciated.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Tuesday, August 21, 2007 9:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Just something I've been meaning to say for a bit.
Declude RULES.
Thanks David!
--SJ
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 21, 2007 9:39 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New Spam
Filter Line:
BODY10 PCRE(?i:(Click|login|link).{0,50}
http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]
|[01]?[0-9][0-9]?))
Example Below:
Welcome Member,
Thank You for Joining Poker World.
Membership Number: 3398118525
Temp Login ID: user3668
Your Password ID: di150
Please keep your account secure by logging in and changing your login info.
Use this link to change your Login info: http://85.113.198.210/
Thank You,
Welcome Department
Poker World
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spam campaign possibly
You don't want to filter for this. This is the standard encoding that represents any GIF. It is not unique to this spammer, but rather it is universal. It would be no different than filtering for "image/gif" Matt Dave Doherty wrote: ANYWHERE 30 CONTAINS R0lGODdh1 should do it, no? - Original Message - From: "Dave Beckstrom" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 28, 2006 10:57 AM Subject: RE: [Declude.JunkMail] New spam campaign possibly We're getting hundreds of those. The image has a constant pattern starting with " R0lGODdh1" Is there a way to make a filter that would look at the data comprising the image? I'd like to delete filter based on that. Here is a snippet: Content-Type: image/gif; name="jizuxed.gif" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]> R0lGODdh1wHHAvIAAAQGBcgjJPs5KrOYnPr++v/4/SwA1wHHAgAD/3i63P4w -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:44 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New spam campaign possibly 3 spam's to postmaster accounts, all got low weights, single gif file attached and from zombie computers. Only pattern I see is the formatting of the body viewed in plain text and HTML and user part of from address is random characters. Actual wording is different and no URLs listed. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spam campaign possibly
ANYWHERE 30 CONTAINS R0lGODdh1 should do it, no? - Original Message - From: "Dave Beckstrom" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 28, 2006 10:57 AM Subject: RE: [Declude.JunkMail] New spam campaign possibly We're getting hundreds of those. The image has a constant pattern starting with " R0lGODdh1" Is there a way to make a filter that would look at the data comprising the image? I'd like to delete filter based on that. Here is a snippet: Content-Type: image/gif; name="jizuxed.gif" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]> R0lGODdh1wHHAvIAAAQGBcgjJPs5KrOYnPr++v/4/SwA1wHHAgAD/3i63P4w -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:44 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New spam campaign possibly 3 spam's to postmaster accounts, all got low weights, single gif file attached and from zombie computers. Only pattern I see is the formatting of the body viewed in plain text and HTML and user part of from address is random characters. Actual wording is different and no URLs listed. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New spam campaign possibly
We're getting hundreds of those. The image has a constant pattern starting with " R0lGODdh1" Is there a way to make a filter that would look at the data comprising the image? I'd like to delete filter based on that. Here is a snippet: Content-Type: image/gif; name="jizuxed.gif" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]> R0lGODdh1wHHAvIAAAQGBcgjJPs5KrOYnPr++v/4/SwA1wHHAgAD/3i63P4w > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T > (Lists) > Sent: Wednesday, June 28, 2006 1:44 AM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] New spam campaign possibly > > 3 spam's to postmaster accounts, all got low weights, single gif file > attached and from zombie computers. > > Only pattern I see is the formatting of the body viewed in plain text and > HTML and user part of from address is random characters. Actual wording is > different and no URLs listed. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spam tactic???
My best guess would be that he is just trying to validate addresses in his database of realtors so that he can sell them to others or spam them with niche content. Matt Marc Catuogno wrote: Same name? Personalized to the agent name? Also through RR in VA? I'm still interested in exactly what the angle is.. seems like a lot of effort. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Saturday, February 04, 2006 1:48 PM To: Declude.JunkMail@declude.com Subject: [HOLD Weight]RE: [Declude.JunkMail] New spam tactic??? I guess it is! We've had 2 reports day about it (and both ARE real estate agents; say "he" is not on their list). Interesting -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Saturday, February 04, 2006 7:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] New spam tactic??? Almost all of my agents received a letter like this: -- Original Message -- From: "Joe Anderson" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 3 Feb 2006 22:21:39 -0500 I believe I received an real estate newsletter from Joseph Moleano in Tarrytown, NY. Please remove me from future emails. Thanks Joe It seems very personal, addressed to the agent and with a reference to the town the agent's office is in or service - but none of the agents sent a newsletter to this guy. I e-mailed him for a copy of it to make sure my agents weren't spamming and very soon after I started to get more than usual Viagra ads directed right to me, almost as if my reply subscribed me to the suckers list. Just wondering if anyone else has seen anything like this. I have included the headers below: Received: from SMTP32-FWD by mail.prudentialrand.com (SMTP32) id A0CE902BD0086B842; Fri, 3 Feb 2006 21:09:47 Received: from rrcs-queue-03.hrndva.rr.com [24.28.200.155] by mail.prudentialrand.com with ESMTP (SMTPD32-8.15) id ACE92BD0086; Fri, 03 Feb 2006 21:09:45 -0500 Received: from rrcs-fep-10.hrndva.rr.com (rrcs-fep-10b.hrndva.rr.com [172.28.200.148]) by rrcs-queue-03.hrndva.rr.com (8.13.5+Sun/8.12.10) with ESMTP id k1429WcM008010 for <[EMAIL PROTECTED]>; Fri, 3 Feb 2006 21:09:32 -0500 (EST) Received: from ZBDS ([24.199.134.250]) by rrcs-fep-10.hrndva.rr.com with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Fri, 3 Feb 2006 21:08:32 -0500 From: "Joe Anderson" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Unsubscribe from Realtor Newsletter Date: Fri, 3 Feb 2006 21:03:28 -0500 MIME-Version: 1.0 X-Mailer: Internal Email Service (4.1.1.692) Message-ID: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Declude-Sender: [EMAIL PROTECTED] [24.28.200.155] X-Declude-Spoolname: D0CE902BD0086B842.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CATCHALLMAILS [0] X-Country-Chain: X-Note: This E-mail was sent from rrcs-mta-03.hrndva.rr.com ([24.28.200.155]). X-RCPT-TO: < Status: U X-UIDL: 428126141 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: RE: [Declude.JunkMail] New spam tactic???
Same name? Personalized to the agent name? Also through RR in VA? I'm still interested in exactly what the angle is.. seems like a lot of effort. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Saturday, February 04, 2006 1:48 PM To: Declude.JunkMail@declude.com Subject: [HOLD Weight]RE: [Declude.JunkMail] New spam tactic??? I guess it is! We've had 2 reports day about it (and both ARE real estate agents; say "he" is not on their list). Interesting -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Saturday, February 04, 2006 7:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] New spam tactic??? Almost all of my agents received a letter like this: -- Original Message -- From: "Joe Anderson" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 3 Feb 2006 22:21:39 -0500 I believe I received an real estate newsletter from Joseph Moleano in Tarrytown, NY. Please remove me from future emails. Thanks Joe It seems very personal, addressed to the agent and with a reference to the town the agent's office is in or service - but none of the agents sent a newsletter to this guy. I e-mailed him for a copy of it to make sure my agents weren't spamming and very soon after I started to get more than usual Viagra ads directed right to me, almost as if my reply subscribed me to the suckers list. Just wondering if anyone else has seen anything like this. I have included the headers below: Received: from SMTP32-FWD by mail.prudentialrand.com (SMTP32) id A0CE902BD0086B842; Fri, 3 Feb 2006 21:09:47 Received: from rrcs-queue-03.hrndva.rr.com [24.28.200.155] by mail.prudentialrand.com with ESMTP (SMTPD32-8.15) id ACE92BD0086; Fri, 03 Feb 2006 21:09:45 -0500 Received: from rrcs-fep-10.hrndva.rr.com (rrcs-fep-10b.hrndva.rr.com [172.28.200.148]) by rrcs-queue-03.hrndva.rr.com (8.13.5+Sun/8.12.10) with ESMTP id k1429WcM008010 for <[EMAIL PROTECTED]>; Fri, 3 Feb 2006 21:09:32 -0500 (EST) Received: from ZBDS ([24.199.134.250]) by rrcs-fep-10.hrndva.rr.com with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Fri, 3 Feb 2006 21:08:32 -0500 From: "Joe Anderson" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Unsubscribe from Realtor Newsletter Date: Fri, 3 Feb 2006 21:03:28 -0500 MIME-Version: 1.0 X-Mailer: Internal Email Service (4.1.1.692) Message-ID: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Declude-Sender: [EMAIL PROTECTED] [24.28.200.155] X-Declude-Spoolname: D0CE902BD0086B842.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CATCHALLMAILS [0] X-Country-Chain: X-Note: This E-mail was sent from rrcs-mta-03.hrndva.rr.com ([24.28.200.155]). X-RCPT-TO: < Status: U X-UIDL: 428126141 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New spam tactic???
I guess it is! We've had 2 reports day about it (and both ARE real estate agents; say "he" is not on their list). Interesting -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Saturday, February 04, 2006 7:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] New spam tactic??? Almost all of my agents received a letter like this: -- Original Message -- From: "Joe Anderson" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 3 Feb 2006 22:21:39 -0500 I believe I received an real estate newsletter from Joseph Moleano in Tarrytown, NY. Please remove me from future emails. Thanks Joe It seems very personal, addressed to the agent and with a reference to the town the agent's office is in or service - but none of the agents sent a newsletter to this guy. I e-mailed him for a copy of it to make sure my agents weren't spamming and very soon after I started to get more than usual Viagra ads directed right to me, almost as if my reply subscribed me to the suckers list. Just wondering if anyone else has seen anything like this. I have included the headers below: Received: from SMTP32-FWD by mail.prudentialrand.com (SMTP32) id A0CE902BD0086B842; Fri, 3 Feb 2006 21:09:47 Received: from rrcs-queue-03.hrndva.rr.com [24.28.200.155] by mail.prudentialrand.com with ESMTP (SMTPD32-8.15) id ACE92BD0086; Fri, 03 Feb 2006 21:09:45 -0500 Received: from rrcs-fep-10.hrndva.rr.com (rrcs-fep-10b.hrndva.rr.com [172.28.200.148]) by rrcs-queue-03.hrndva.rr.com (8.13.5+Sun/8.12.10) with ESMTP id k1429WcM008010 for <[EMAIL PROTECTED]>; Fri, 3 Feb 2006 21:09:32 -0500 (EST) Received: from ZBDS ([24.199.134.250]) by rrcs-fep-10.hrndva.rr.com with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Fri, 3 Feb 2006 21:08:32 -0500 From: "Joe Anderson" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Unsubscribe from Realtor Newsletter Date: Fri, 3 Feb 2006 21:03:28 -0500 MIME-Version: 1.0 X-Mailer: Internal Email Service (4.1.1.692) Message-ID: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Declude-Sender: [EMAIL PROTECTED] [24.28.200.155] X-Declude-Spoolname: D0CE902BD0086B842.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CATCHALLMAILS [0] X-Country-Chain: X-Note: This E-mail was sent from rrcs-mta-03.hrndva.rr.com ([24.28.200.155]). X-RCPT-TO: < Status: U X-UIDL: 428126141 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Spam or Virus????!!
I didn't have f-prot with that line until I saw nav desktop catching these. I then submitted it to McAfee and they sent me a extra.dat file and said it would be in their next dat set. I haven't seen the new dat for it yet. Their name: "Identified: W32/Bagle.dll.dr". -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyler Jensen Sent: Wednesday, April 20, 2005 7:22 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] New Spam or Virus!! I had something similar over the weekend. Standard zip file. If you are using F-Prot you may want to add VirusCode 8 to the config. This will stop them as Unknown Virus. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling it w32/mitglieder.c. I submitted my findings to Declude support earlier in the week and spoke with a someone yesterday. Sent the file to him and he said the AVG called it a Bagle of some sort. What is strange is outside of email, f-prot was detecting it. But without viruscode 8, nothing. Tyler -- Original Message -- From: "Chuck Schick" <[EMAIL PROTECTED]> Reply-To: Declude.JunkMail@declude.com Date: Wed, 20 Apr 2005 18:05:08 -0600 >Starting to see messages that have a zip attachement with the format 5.zip >or 7.zip - I do not know if it is spam or a virus. Anyone else seeing >this? Virus scanner is not catching it so I do not know if it is a virus or >not. > >Chuck Schick >Warp 8, Inc. >(303)-421-5140 >www.warp8.com > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Spam or Virus????!!
I had something similar over the weekend. Standard zip file. If you are using F-Prot you may want to add VirusCode 8 to the config. This will stop them as Unknown Virus. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling it w32/mitglieder.c. I submitted my findings to Declude support earlier in the week and spoke with a someone yesterday. Sent the file to him and he said the AVG called it a Bagle of some sort. What is strange is outside of email, f-prot was detecting it. But without viruscode 8, nothing. Tyler -- Original Message -- From: "Chuck Schick" <[EMAIL PROTECTED]> Reply-To: Declude.JunkMail@declude.com Date: Wed, 20 Apr 2005 18:05:08 -0600 >Starting to see messages that have a zip attachement with the format 5.zip >or 7.zip - I do not know if it is spam or a virus. Anyone else seeing >this? Virus scanner is not catching it so I do not know if it is a virus or >not. > >Chuck Schick >Warp 8, Inc. >(303)-421-5140 >www.warp8.com > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Spam or Virus????!!
Coming in though us too. Using FPROT, but appears now they've updated their defs so they are being caught now. They were non-encrypted ZIP's with different file names, single EXE in the zip. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, April 21, 2005 2:09 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] New Spam or Virus!! Nothing yet. Are these standard zips or encrypted? We block encrypted. Darin. - Original Message - From: "Chuck Schick" <[EMAIL PROTECTED]> To: "Declude. JunkMail" Sent: Wednesday, April 20, 2005 8:05 PM Subject: [Declude.JunkMail] New Spam or Virus!! Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Spam or Virus????!!
Nothing yet. Are these standard zips or encrypted? We block encrypted. Darin. - Original Message - From: "Chuck Schick" <[EMAIL PROTECTED]> To: "Declude. JunkMail" Sent: Wednesday, April 20, 2005 8:05 PM Subject: [Declude.JunkMail] New Spam or Virus!! Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
