<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><font size="-1"><font face="Arial">Yes
it would appear someone is specifically targeting <font
size="-1">A</font>ustralians with a malware attack.<br>
<font size="-1">I would spec<font size="-1">ulate they are
trying t<font size="-1">o expand an Au<font size="-1">stralian
based botnet<font size="-1"> for some nefarious
purpose.<font size="-1"><br>
<br>
<font size="-1">T<font size="-1">he payload in
these emails <font size="-1">is only showing
up on a handful of virus scanners. <br>
<font size="-1"><a class="moz-txt-link-freetext" href="https://www.virustotal.com/file/573ddfa4f744da7bf2a0c73338fd2933050c3682b0905d46932948398184921b/analysis/">https://www.virustotal.com/file/573ddfa4f744da7bf2a0c73338fd2933050c3682b0905d46932948398184921b/analysis/</a><br>
<br>
</font></font></font></font></font></font></font></font></font></font><font
size="-1">Martin<br>
<br>
</font></font></font>On 13/12/2012 11:17 AM, Nathan Ridge
wrote:<br>
</div>
<blockquote
cite="mid:005801cdd8cf$a6491650$f2db42f0$@matilda.net.au"
type="cite">
<pre wrap="">Hey,
It seems to be getting far worse... We are now seeing the same type of thing
coming from virginblue.com.au and ticketek, thousands of emails getting
stopped now on our filters from multiple companies
Nathan
-----Original Message-----
From: Heinz N [<a class="moz-txt-link-freetext" href="mailto:ausnog@equisoft.com.au">mailto:ausnog@equisoft.com.au</a>]
Sent: Thursday, 13 December 2012 11:07 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact
</pre>
<blockquote type="cite">
<pre wrap="">What I'm seeing is a lot of spam pretending to be QLD Transport, With
the QLD Transport servers added to the mail headers, but they are fake
</pre>
</blockquote>
<pre wrap="">headers to make it look like they've passed through QLD Transport.
</pre>
<blockquote type="cite">
<pre wrap="">The actual mail server handing me the email is
Received: from a24.satur.ba.cust.gts.sk (62.168.71.248) by
chasm1.ozservers.com.au with SMTP; 12 Dec 2012 07:50:35 +1000
</pre>
</blockquote>
<pre wrap="">
I am also getting lots of the same spam (with trojan exe payload) pretending
to be from qld xport BUT they are from zombies all over the world. This has
nothing to do with qld xport. Their name just happens to be in the faked
header. Always check the IP address of the last SMTP relay host. Your SMTP
server won't lie about the IP address that it received the email from. The
rest of the stuff/header(s) is probably all fake.
With a _decent_ email client, you can view all the email headers and check
them. These days, it is imperative to do that because of all the spear
phishing and other targeted stuff going on. All SMTP traffic should be
considered as malicious/fake until properly verified.
Regards,
Heinz N
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>