subject:"Anyone ever see this\?"

Re: Anyone ever see this?

2005-08-31 Thread jdow


Might have to handle these things with procmail level tools.
{^_^}
- Original Message - 
From: [EMAIL PROTECTED]



Got a nasty spam with an extremly oversized Thread-Index header.  (I set
my word wrap to 72 characters, I don't know if it will hold up however
when I hit send).

Does anyone know if it is exploiting a known Outlook/Exchange security hole?

The Thread-Index header seems to have caused Microsoft Outlook to pick
a friendly name from the users's address book and also hide the To:
header so it came through to undisclosed recipients.

The entire mail was 1.2megs so SpamAssassin of course did not scan it.


From [EMAIL PROTECTED]  Tue Aug 30 15:47:08 2005
Return-Path: [EMAIL PROTECTED]
Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com
[65.248.131.18])
   by inpf1.XXX.com (Postfix) with ESMTP id 46F0231A829
   for [EMAIL PROTECTED]; Tue, 30 Aug 2005 15:47:01 -0400 (EDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary=_=_NextPart_001_01C5AD9B.92851B9B
Subject: Active Directory Security, Back up and Restore with Active
Administrator 4.0
Date: Tue, 30 Aug 2005 15:46:53 -0400
Message-ID:
[EMAIL PROTECTED]
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Active Directory Security, Back up and Restore with Active
Administrator 4.0
Thread-Index:
AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ93v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExRVtAAABZkfq+MzMAAAISQ0AAAEZWAAAcICWeMJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6voxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRZvQAAABhwkYfAAABOsw98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDM9/0AADI60QAAARuXAAABMnJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyTgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA
AFmBhm0AAABXSU3/oAAAqFFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDCxIUGYAAB8mbeDGhmcAAAMMdDXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7Zu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGKmCkAAAHt4gAAAhiISxmUmwAABGSpAAABEIUAAALSdgAAdDT2JhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGLO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsph8AAABYNwAAAhuBXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2Fby1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8K2sAAgHZfQAADHilUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmOocqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQ/ngAAACiD82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAAAGD
TwAAAXkn
M1MrcQAABkikAAABo7UAAACh9gAADFfA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxJoUAAz9yDgAJOgxbK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWKzMubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ
From: Jeffrey Colas [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

Re: Anyone ever see this?

2005-08-31 Thread Phil Barnett

On Tuesday 30 August 2005 05:40 pm, [EMAIL PROTECTED] wrote:
 Got a nasty spam with an extremly oversized Thread-Index header.  (I set
 my word wrap to 72 characters, I don't know if it will hold up however
 when I hit send).

 Does anyone know if it is exploiting a known Outlook/Exchange security
 hole?

There was something about an elm vuln today. Probably that one.

-- 
Don't think that a small group of dedicated individuals can't change the 
world. it's the only thing that ever has.

Re: Anyone ever see this?

2005-08-31 Thread mostlyharmless


Thanks for the input all!

Anyone ever see this?

2005-08-30 Thread mostlyharmless

Got a nasty spam with an extremly oversized Thread-Index header.  (I set 
my word wrap to 72 characters, I don't know if it will hold up however 
when I hit send).


Does anyone know if it is exploiting a known Outlook/Exchange security hole?

The Thread-Index header seems to have caused Microsoft Outlook to pick 
a friendly name from the users's address book and also hide the To: 
header so it came through to undisclosed recipients. 

The entire mail was 1.2megs so SpamAssassin of course did not scan it. 



From [EMAIL PROTECTED]  Tue Aug 30 15:47:08 2005
Return-Path: [EMAIL PROTECTED]
Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com 
[65.248.131.18])

   by inpf1.XXX.com (Postfix) with ESMTP id 46F0231A829
   for [EMAIL PROTECTED]; Tue, 30 Aug 2005 15:47:01 -0400 (EDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary=_=_NextPart_001_01C5AD9B.92851B9B
Subject: Active Directory Security, Back up and Restore with Active 
Administrator 4.0

Date: Tue, 30 Aug 2005 15:46:53 -0400
Message-ID: 
[EMAIL PROTECTED]

X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Active Directory Security, Back up and Restore with Active 
Administrator 4.0
Thread-Index: 
AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ93v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExRVtAAABZkfq+MzMAAAISQ0AAAEZWAAAcICWeMJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6voxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRZvQAAABhwkYfAAABOsw98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDM9/0AADI60QAAARuXAAABMnJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyTgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA 
AFmBhm0AAABXSU3/oAAAqFFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDCxIUGYAAB8mbeDGhmcAAAMMdDXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7Zu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGKmCkAAAHt4gAAAhiISxmUmwAABGSpAAABEIUAAALSdgAAdDT2JhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGLO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsph8AAABYNwAAAhuBXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2Fby1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8K2sAAgHZfQAADHilUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmOocqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQ/ngAAACiD82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAAAGDTwAAAXkn 
M1MrcQAABkikAAABo7UAAACh9gAADFfA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxJoUAAz9yDgAJOgxbK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWKzMubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ

From: Jeffrey Colas [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

Re: Anyone ever see this?

2005-08-30 Thread Matt Kettler

Apparently some versions of outlook actually generate giant thread-index
headers. And they don't even wrap it properly.

http://archives.neohapsis.com/archives/postfix/2002-02/1116.html


FWIW, it looks like a legitimate ad from scriptlogic. It's not forged, not an
exploit, and seems to advertise one of their actual products.

Of course, this begs the question of why scriptlogic has you on their
advertising list, but that's another matter entirely.


[EMAIL PROTECTED] wrote:
 Got a nasty spam with an extremly oversized Thread-Index header.  (I set
 my word wrap to 72 characters, I don't know if it will hold up however
 when I hit send).
 
 Does anyone know if it is exploiting a known Outlook/Exchange security
 hole?
 
 The Thread-Index header seems to have caused Microsoft Outlook to pick
 a friendly name from the users's address book and also hide the To:
 header so it came through to undisclosed recipients.
 The entire mail was 1.2megs so SpamAssassin of course did not scan it.
 
 From [EMAIL PROTECTED]  Tue Aug 30 15:47:08 2005
 Return-Path: [EMAIL PROTECTED]
 Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com
 [65.248.131.18])
by inpf1.XXX.com (Postfix) with ESMTP id 46F0231A829
for [EMAIL PROTECTED]; Tue, 30 Aug 2005 15:47:01 -0400 (EDT)
 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
 Content-class: urn:content-classes:message
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
boundary=_=_NextPart_001_01C5AD9B.92851B9B
 Subject: Active Directory Security, Back up and Restore with Active
 Administrator 4.0
 Date: Tue, 30 Aug 2005 15:46:53 -0400
 Message-ID:
 [EMAIL PROTECTED]
 X-MS-Has-Attach:
 X-MS-TNEF-Correlator:
 Thread-Topic: Active Directory Security, Back up and Restore with Active
 Administrator 4.0
 Thread-Index:
 AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ93v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExRVtAAABZkfq+MzMAAAISQ0AAAEZWAAAcICWeMJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6voxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRZvQAAABhwkYfAAABOsw98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDM9/0AADI60QAAARuXAAABMnJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyTgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA
 AFmBhm0AAABXSU3/oAAAqFFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDCxIUGYAAB8mbeDGhmcAAAMMdDXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7Zu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGKmCkAAAHt4gAAAhiISxmUmwAABGSpAAABEIUAAALSdgAAdDT2JhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGLO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsph8AAABYNwAAAhuBXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2Fby1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8K2sAAgHZfQAADHilUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmOocqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQ/ngAAACiD82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAA
AGDTwAAAXkn
 M1MrcQAABkikAAABo7UAAACh9gAADFfA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxJoUAAz9yDgAJOgxbK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWKzMubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ
 
 From: Jeffrey Colas [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]

Re: Anyone ever see this?

Re: Anyone ever see this?

Re: Anyone ever see this?

Anyone ever see this?

Re: Anyone ever see this?

5 matches

Site Navigation

Mail list logo

Footer information