<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000'>The latest ClamAV definitions on one of our mail services (postfix/Zimbra) appear to be picking up the viruses ok.
I've had several thousand quarantined over the last couple of days from
the listed domains, so I can add some data to the list if anyone wants the IPs. Haven't had a chance to check the Exchange servers yet, but if the virus scanning doesn't pick them up I'm assuming SPF will. After a couple of issues similar to this over the last couple of years, this is why we recommend valid SPF records on all of our customers' domains.<br><br>Cameron<br><div><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Martin - StudioCoast" <martin.sinclair@studiocoast.com.au><br><b>To: </b>ausnog@lists.ausnog.net<br><b>Sent: </b>Thursday, 13 December, 2012 12:18:19 PM<br><b>Subject: </b>Re: [AusNOG] qld transport contact<br><br>
<div class="moz-cite-prefix"><font size="-1"><font face="Arial">Given
so few virus scanners are picking up t<font size="-1">his
malware<font size="-1"> the usual "scan before opening<font size="-1">" idea will not be effec<font size="-1">tive
either.<br>
<font size="-1"><font size="-1">Educating users about
what attachments to avoi<font size="-1">d is such
a minefield <font size="-1">especially since
malicious PDF files have been used in the
past.<br>
<br>
<font size="-1">This might be why many
airlines have moved to <font size="-1">inline
it<font size="-1">ineraries <font size="-1">to avoid using attachments
at all.<br>
<br>
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font>On
13/12/2012 11:54 AM, Nathan Ridge wrote:<br>
</div>
<blockquote cite="mid:007c01cdd8d4$c1491130$43db3390$@matilda.net.au">
<pre>Wow... so now hundreds or thousands of people that are actually travelling
soon open the virus under instruction from virgin to do so, that's lazy,
they will be raped over this, they should have been much more explicit
saying only open the attachment if it is a pdf not zip or exe and make sure
you scan with an uptodate av program before opening.
-----Original Message-----
From: Greg Smith [<a class="moz-txt-link-freetext" href="mailto:greg@webmetrix.com.au" target="_blank">mailto:greg@webmetrix.com.au</a>]
Sent: Thursday, 13 December 2012 11:44 AM
To: Nathan Brookfield; Matt Perkins; <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact
Yeah but if you have alook on their facebook page - some admin there said,
only open the pdf if you are travelling with us soon!! Idiots!
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>
[<a class="moz-txt-link-freetext" href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Nathan Brookfield
Sent: Thursday, 13 December 2012 11:38
To: Matt Perkins; <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact
Virgin have advised all of their employees to inform customers of the fraud
also so they must be getting hammered.
Kindest Regards,
Nathan Brookfield (VK2NAB)
Chief Executive Officer
Simtronic Technologies Pty Ltd
Local: (02) 4749 4949 | Fax: (02) 4749 4950 | Direct: (02) 4749 4951
Web: <a class="moz-txt-link-freetext" href="http://www.simtronic.com.au" target="_blank">http://www.simtronic.com.au</a> | E-mail:
<a class="moz-txt-link-abbreviated" href="mailto:nathan.brookfield@simtronic.com.au" target="_blank">nathan.brookfield@simtronic.com.au</a>
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>
[<a class="moz-txt-link-freetext" href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Matt Perkins
Sent: Thursday, 13 December 2012 12:36 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact
We have seen the same virgin blue spoofed ones for about 3 - 4 days now.
There's a jetstar one as well. Mail can be a bane.
Matt.
On 13/12/12 12:17 PM, Nathan Ridge wrote:
</pre>
<blockquote>
<pre>Hey,
It seems to be getting far worse... We are now seeing the same type of
</pre>
</blockquote>
<pre></pre>
<blockquote>
<pre>thing coming from virginblue.com.au and ticketek, thousands of emails
getting stopped now on our filters from multiple companies
Nathan
-----Original Message-----
From: Heinz N [<a class="moz-txt-link-freetext" href="mailto:ausnog@equisoft.com.au" target="_blank">mailto:ausnog@equisoft.com.au</a>]
Sent: Thursday, 13 December 2012 11:07 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact
</pre>
<blockquote>
<pre>What I'm seeing is a lot of spam pretending to be QLD Transport, With
</pre>
</blockquote>
</blockquote>
<pre></pre>
<blockquote>
<blockquote>
<pre>the QLD Transport servers added to the mail headers, but they are
fake
</pre>
</blockquote>
<pre>headers to make it look like they've passed through QLD Transport.
</pre>
<blockquote>
<pre>The actual mail server handing me the email is
Received: from a24.satur.ba.cust.gts.sk (62.168.71.248) by
chasm1.ozservers.com.au with SMTP; 12 Dec 2012 07:50:35 +1000
</pre>
</blockquote>
<pre>I am also getting lots of the same spam (with trojan exe payload)
pretending to be from qld xport BUT they are from zombies all over the
</pre>
</blockquote>
<pre></pre>
<blockquote>
<pre>world. This has nothing to do with qld xport. Their name just happens
to be in the faked header. Always check the IP address of the last
SMTP relay host. Your SMTP server won't lie about the IP address that
it received the email from. The rest of the stuff/header(s) is
</pre>
</blockquote>
<pre>probably all fake.
</pre>
<blockquote>
<pre>With a _decent_ email client, you can view all the email headers and
check them. These days, it is imperative to do that because of all the
</pre>
</blockquote>
<pre></pre>
<blockquote>
<pre>spear phishing and other targeted stuff going on. All SMTP traffic
should be considered as malicious/fake until properly verified.
Regards,
Heinz N
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<pre>
--
/* Matt Perkins
Direct 1300 137 379 Spectrum Networks Ptd. Ltd.
Office 1300 133 299 <a class="moz-txt-link-abbreviated" href="mailto:matt@spectrum.com.au" target="_blank">matt@spectrum.com.au</a>
Fax 1300 133 255 Level 6, 350 George Street Sydney 2000
SIP <a class="moz-txt-link-abbreviated" href="mailto:1300137379@sip.spectrum.com.au" target="_blank">1300137379@sip.spectrum.com.au</a>
PGP/GNUPG Public Key can be found at <a class="moz-txt-link-freetext" href="http://pgp.mit.edu" target="_blank">http://pgp.mit.edu</a> */
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
<br>_______________________________________________<br>AusNOG mailing list<br>AusNOG@lists.ausnog.net<br>http://lists.ausnog.net/mailman/listinfo/ausnog<br></div><br></div></body></html>