<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix"><font size="-1"><font face="Arial">Given
          so few virus scanners are picking up t<font size="-1">his
            malware<font size="-1"> the usual "scan before opening<font
                size="-1">" idea will not be effec<font size="-1">tive
                  either.<br>
                  <font size="-1"><font size="-1">Educating users about
                      what attachments to avoi<font size="-1">d is such
                        a minefield <font size="-1">especially since
                          malicious PDF files have been used in the
                          past.<br>
                          <br>
                          <font size="-1">This might be why many
                            airlines have moved to <font size="-1">inline
                              it<font size="-1">ineraries <font
                                  size="-1">to avoid using attachments
                                  at all.<br>
                                  <br>
                                  <br>
                                  <br>
                                </font></font></font></font></font></font></font></font></font></font></font></font></font></font>On
      13/12/2012 11:54 AM, Nathan Ridge wrote:<br>
    </div>
    <blockquote
      cite="mid:007c01cdd8d4$c1491130$43db3390$@matilda.net.au"
      type="cite">
      <pre wrap="">Wow... so now hundreds or  thousands of people that are actually travelling
soon open the virus under instruction from virgin to do so, that's lazy,
they will be raped over this, they should have been much more explicit
saying only open the attachment if it is a pdf not zip or exe and make sure
you scan with an uptodate av program before opening.

-----Original Message-----
From: Greg Smith [<a class="moz-txt-link-freetext" href="mailto:greg@webmetrix.com.au">mailto:greg@webmetrix.com.au</a>] 
Sent: Thursday, 13 December 2012 11:44 AM
To: Nathan Brookfield; Matt Perkins; <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact

Yeah but if you have alook on their facebook page - some admin there said,
only open the pdf if you are travelling with us soon!! Idiots!

 

-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>
[<a class="moz-txt-link-freetext" href="mailto:ausnog-bounces@lists.ausnog.net">mailto:ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Nathan Brookfield
Sent: Thursday, 13 December 2012 11:38
To: Matt Perkins; <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact

Virgin have advised all of their employees to inform customers of the fraud
also so they must be getting hammered.

Kindest Regards,
Nathan Brookfield (VK2NAB)

Chief Executive Officer
Simtronic Technologies Pty Ltd

Local: (02) 4749 4949 | Fax: (02) 4749 4950 | Direct: (02) 4749 4951
Web: <a class="moz-txt-link-freetext" href="http://www.simtronic.com.au">http://www.simtronic.com.au</a> | E-mail:
<a class="moz-txt-link-abbreviated" href="mailto:nathan.brookfield@simtronic.com.au">nathan.brookfield@simtronic.com.au</a>

-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>
[<a class="moz-txt-link-freetext" href="mailto:ausnog-bounces@lists.ausnog.net">mailto:ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Matt Perkins
Sent: Thursday, 13 December 2012 12:36 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact

We have seen the same virgin blue spoofed ones for about 3 - 4 days now.

There's a jetstar one as well. Mail can be a bane.

Matt.

On 13/12/12 12:17 PM, Nathan Ridge wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hey,

It seems to be getting far worse... We are now seeing the same type of
</pre>
      </blockquote>
      <pre wrap="">
</pre>
      <blockquote type="cite">
        <pre wrap="">thing coming from virginblue.com.au and ticketek, thousands of emails 
getting stopped now on our filters from multiple companies

Nathan

-----Original Message-----
From: Heinz N [<a class="moz-txt-link-freetext" href="mailto:ausnog@equisoft.com.au">mailto:ausnog@equisoft.com.au</a>]
Sent: Thursday, 13 December 2012 11:07 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>
Subject: Re: [AusNOG] qld transport contact

</pre>
        <blockquote type="cite">
          <pre wrap="">What I'm seeing is a lot of spam pretending to be QLD Transport, With
</pre>
        </blockquote>
      </blockquote>
      <pre wrap="">
</pre>
      <blockquote type="cite">
        <blockquote type="cite">
          <pre wrap="">the QLD Transport servers added to the mail headers, but they are 
fake
</pre>
        </blockquote>
        <pre wrap="">headers to make it look like they've passed through QLD Transport.
</pre>
        <blockquote type="cite">
          <pre wrap="">The actual mail server handing me the email is
Received: from a24.satur.ba.cust.gts.sk (62.168.71.248)  by 
chasm1.ozservers.com.au with SMTP; 12 Dec 2012 07:50:35 +1000
</pre>
        </blockquote>
        <pre wrap="">I am also getting lots of the same spam (with trojan exe payload) 
pretending to be from qld xport BUT they are from zombies all over the
</pre>
      </blockquote>
      <pre wrap="">
</pre>
      <blockquote type="cite">
        <pre wrap="">world. This has nothing to do with qld xport. Their name just happens 
to be in the faked header. Always check the IP address of the last 
SMTP relay host. Your SMTP server won't lie about the IP address that 
it received the email from. The rest of the stuff/header(s) is
</pre>
      </blockquote>
      <pre wrap="">probably all fake.
</pre>
      <blockquote type="cite">
        <pre wrap="">
With a _decent_ email client, you can view all the email headers and 
check them. These days, it is imperative to do that because of all the
</pre>
      </blockquote>
      <pre wrap="">
</pre>
      <blockquote type="cite">
        <pre wrap="">spear phishing and other targeted stuff going on. All SMTP traffic 
should be considered as malicious/fake until properly verified.

Regards,
Heinz N
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>

_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
      </blockquote>
      <pre wrap="">

--
/* Matt Perkins
         Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
         Office 1300 133 299     <a class="moz-txt-link-abbreviated" href="mailto:matt@spectrum.com.au">matt@spectrum.com.au</a>
         Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
         SIP <a class="moz-txt-link-abbreviated" href="mailto:1300137379@sip.spectrum.com.au">1300137379@sip.spectrum.com.au</a>
         PGP/GNUPG Public Key can be found at  <a class="moz-txt-link-freetext" href="http://pgp.mit.edu">http://pgp.mit.edu</a> */

_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>

_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>