I’m seeing spams like: http://pastebin.com/XXQrNURW
Notice: * the message is almost always text/plain single part; * the only Received: line is the local one, even though it was received on port 25; * the message id contains the string be2aaf2163fd72c9975ec76b00288831, which seems to be a SHA1 hash associated with the destination email address; * there are two or more nonsense header fields containing the SHA1 hash plus some small integer, and both values are repeated in the message body; * there’s sometimes a third integer value both in the message and optionally in some nonsense header field; * the message begins with either “Hello ____” or “Dear ____” as the destination email address, * the phishing URL is either hosted by googlasi (as an amazon instance 54.69.70.160), or else blacklotus instance as 192.31.186.4; I’m occasionally seeing text/html which also contains the same hash as part of the phishing URL. Anyone else seeing this? I’m currently defeating this by locally blacklisting the 2 IP addresses associated with the URL, plus finding the SHA1 in the message. I’d like to not have to rely on the specific value of the hash for the 2nd test. -Philip
