Re: Iran Nuclear spam
E. Falk wrote: Anyone else been seeing a lot of these come in? The text includes a snippet about the Iran Nuclear situation and a link to a "full article". The article appears to have been pinched from elsewhere, but the page includes javascript which appears to use a buffer overflow to load a .hta file. All the links end in votnews dot com - thankfully the uribl's kept this one from hitting my users. Just thought I'd throw out a warning since it's not just more political spam, there's a payload. Evan Found another one from a few days back, this time the news story was about the 14 Marines killed in Iraq. Same IP address in China, this time with the url pointing to vbnnews dot com. Obviously this site is known to the URIBL people... wonder how long it's been out there. Evan
RE: Iran Nuclear spam
> From: E. Falk [mailto:[EMAIL PROTECTED] > > Anyone else been seeing a lot of these come in? The text > includes a snippet about the Iran Nuclear situation and a > link to a "full article". > The article appears to have been pinched from elsewhere, but > the page includes javascript which appears to use a buffer > overflow to load a .hta file. > > All the links end in votnews dot com - thankfully the uribl's > kept this one from hitting my users. Just thought I'd throw > out a warning since it's not just more political spam, > there's a payload. I just saw it in the SA catch account (SA caught it at 37.1 points.) Subject was about Iran/Nuclear but From: looked to be a job search -- the mismatch and SA score were enought for me so I approved the catch and didn't look further. So it's a HTA buffer overflow, disguised as a Job spam, disguised as a Political? This strategy of multi-levels of disguise is intriguing -- I have only seen it personally a few times. -- Herb Martin
Re: Iran Nuclear spam
>... >Anyone else been seeing a lot of these come in? The text includes a >snippet about the Iran Nuclear situation and a link to a "full article". >The article appears to have been pinched from elsewhere, but the page >includes javascript which appears to use a buffer overflow to load a >.hta file. > >All the links end in votnews dot com - thankfully the uribl's kept this >one from hitting my users. Just thought I'd throw out a warning since >it's not just more political spam, there's a payload. > >Evan > Strange spam from Leo Kuvayev - doesn't make sense. The registration is at YesNIC and the entries are all nominated at rfci already. Paul Shupak [EMAIL PROTECTED]
Iran Nuclear spam
Anyone else been seeing a lot of these come in? The text includes a snippet about the Iran Nuclear situation and a link to a "full article". The article appears to have been pinched from elsewhere, but the page includes javascript which appears to use a buffer overflow to load a .hta file. All the links end in votnews dot com - thankfully the uribl's kept this one from hitting my users. Just thought I'd throw out a warning since it's not just more political spam, there's a payload. Evan