[AusNOG] qld transport contact

Martin - StudioCoast martin.sinclair at studiocoast.com.au
Thu Dec 13 12:33:58 EST 2012


Yes it would appear someone is specifically targeting Australians with a 
malware attack.
I would speculate they are trying to expand an Australian based 
botnetfor some nefarious purpose.

The payload in these emails is only showing up on a handful of virus 
scanners.
https://www.virustotal.com/file/573ddfa4f744da7bf2a0c73338fd2933050c3682b0905d46932948398184921b/analysis/

Martin

On 13/12/2012 11:17 AM, Nathan Ridge wrote:
> Hey,
>
> It seems to be getting far worse... We are now seeing the same type of thing
> coming from virginblue.com.au and ticketek, thousands of emails getting
> stopped now on our filters from multiple companies
>
> Nathan
>
> -----Original Message-----
> From: Heinz N [mailto:ausnog at equisoft.com.au]
> Sent: Thursday, 13 December 2012 11:07 AM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] qld transport contact
>
>> What I'm seeing is a lot of spam pretending to be QLD Transport, With
>> the QLD Transport servers added to the mail headers, but they are fake
> headers to make it look like they've passed through QLD Transport.
>> The actual mail server handing me the email is
>> Received: from a24.satur.ba.cust.gts.sk (62.168.71.248)  by
>> chasm1.ozservers.com.au with SMTP; 12 Dec 2012 07:50:35 +1000
> I am also getting lots of the same spam (with trojan exe payload) pretending
> to be from qld xport BUT they are from zombies all over the world. This has
> nothing to do with qld xport. Their name just happens to be in the faked
> header. Always check the IP address of the last SMTP relay host. Your SMTP
> server won't lie about the IP address that it received the email from. The
> rest of the stuff/header(s) is probably all fake.
>
> With a _decent_ email client, you can view all the email headers and check
> them. These days, it is imperative to do that because of all the spear
> phishing and other targeted stuff going on. All SMTP traffic should be
> considered as malicious/fake until properly verified.
>
> Regards,
> Heinz N
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121213/ab2f4f7c/attachment.html>


More information about the AusNOG mailing list