Re: Anyone ever see this?
Thanks for the input all!
Re: Anyone ever see this?
On Tuesday 30 August 2005 05:40 pm, [EMAIL PROTECTED] wrote: > Got a nasty spam with an extremly oversized Thread-Index header. (I set > my word wrap to 72 characters, I don't know if it will hold up however > when I hit send). > > Does anyone know if it is exploiting a known Outlook/Exchange security > hole? There was something about an elm vuln today. Probably that one. -- Don't think that a small group of dedicated individuals can't change the world. it's the only thing that ever has.
Re: Anyone ever see this?
Might have to handle these things with procmail level tools. {^_^} - Original Message - From: <[EMAIL PROTECTED]> Got a nasty spam with an extremly oversized Thread-Index header. (I set my word wrap to 72 characters, I don't know if it will hold up however when I hit send). Does anyone know if it is exploiting a known Outlook/Exchange security hole? The Thread-Index header seems to have caused Microsoft Outlook to "pick" a friendly name from the users's address book and also hide the To: header so it came through to undisclosed recipients. The entire mail was 1.2megs so SpamAssassin of course did not scan it. From [EMAIL PROTECTED] Tue Aug 30 15:47:08 2005 Return-Path: <[EMAIL PROTECTED]> Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com [65.248.131.18]) by inpf1.XXX.com (Postfix) with ESMTP id 46F0231A829 for <[EMAIL PROTECTED]>; Tue, 30 Aug 2005 15:47:01 -0400 (EDT) X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_=_NextPart_001_01C5AD9B.92851B9B" Subject: Active Directory Security, Back up and Restore with Active Administrator 4.0 Date: Tue, 30 Aug 2005 15:46:53 -0400 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Active Directory Security, Back up and Restore with Active Administrator 4.0 Thread-Index: AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ93v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExRVtAAABZkfq+MzMAAAISQ0AAAEZWAAAcICWeMJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6voxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRZvQAAABhwkYfAAABOsw98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDM9/0AADI60QAAARuXAAABMnJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyTgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA AFmBhm0AAABXSU3/oAAAqFFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDCxIUGYAAB8mbeDGhmcAAAMMdDXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7Zu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGKmCkAAAHt4gAAAhiISxmUmwAABGSpAAABEIUAAALSdgAAdDT2JhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGLO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsph8AAABYNwAAAhuBXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2Fby1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8K2sAAgHZfQAADHilUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmOocqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQ/ngAAACiD82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAAAGD TwAAAXkn M1MrcQAABkikAAABo7UAAACh9gAADFfA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxJoUAAz9yDgAJOgxbK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWKzMubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ From: "Jeffrey Colas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>
Re: Anyone ever see this?
Apparently some versions of outlook actually generate giant thread-index headers. And they don't even wrap it properly. http://archives.neohapsis.com/archives/postfix/2002-02/1116.html FWIW, it looks like a legitimate ad from scriptlogic. It's not forged, not an exploit, and seems to advertise one of their actual products. Of course, this begs the question of why scriptlogic has you on their advertising list, but that's another matter entirely. [EMAIL PROTECTED] wrote: > Got a nasty spam with an extremly oversized Thread-Index header. (I set > my word wrap to 72 characters, I don't know if it will hold up however > when I hit send). > > Does anyone know if it is exploiting a known Outlook/Exchange security > hole? > > The Thread-Index header seems to have caused Microsoft Outlook to "pick" > a friendly name from the users's address book and also hide the To: > header so it came through to undisclosed recipients. > The entire mail was 1.2megs so SpamAssassin of course did not scan it. > > From [EMAIL PROTECTED] Tue Aug 30 15:47:08 2005 > Return-Path: <[EMAIL PROTECTED]> > Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com > [65.248.131.18]) >by inpf1.XXX.com (Postfix) with ESMTP id 46F0231A829 >for <[EMAIL PROTECTED]>; Tue, 30 Aug 2005 15:47:01 -0400 (EDT) > X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 > Content-class: urn:content-classes:message > MIME-Version: 1.0 > Content-Type: multipart/mixed; >boundary="_=_NextPart_001_01C5AD9B.92851B9B" > Subject: Active Directory Security, Back up and Restore with Active > Administrator 4.0 > Date: Tue, 30 Aug 2005 15:46:53 -0400 > Message-ID: > <[EMAIL PROTECTED]> > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: Active Directory Security, Back up and Restore with Active > Administrator 4.0 > Thread-Index: > AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ93v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExRVtAAABZkfq+MzMAAAISQ0AAAEZWAAAcICWeMJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6voxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRZvQAAABhwkYfAAABOsw98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDM9/0AADI60QAAARuXAAABMnJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyTgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA > AFmBhm0AAABXSU3/oAAAqFFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDCxIUGYAAB8mbeDGhmcAAAMMdDXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7Zu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGKmCkAAAHt4gAAAhiISxmUmwAABGSpAAABEIUAAALSdgAAdDT2JhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGLO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsph8AAABYNwAAAhuBXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2Fby1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8K2sAAgHZfQAADHilUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmOocqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQ/ngAAACiD82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAA AGDTwAAAXkn > M1MrcQAABkikAAABo7UAAACh9gAADFfA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxJoUAAz9yDgAJOgxbK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWKzMubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ > > From: "Jeffrey Colas" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > > >