Thursday, July 8, 2010

Bounce message spam

There's a new spam in the wild claiming to be bounce messages to messages that you've sent, but that actually send you to a meds spammer's site. They've been mutating for several days, so the body and attachment change fairly rapidly, but here's what one looks like as of the date of this post:


--- begin spam ---

Delivery Status Notification (Failure) Note: Forwarded message is attached.

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

Delivery to the following recipient has been delayed:

user@domain.com

Message will be retried for 2 more day(s)

---end spam---

Then there is an HTML attachment which redirects to the spammer's web site.

It's really quite ingenious really. Who wouldn't open a bounce, even if they didn't remember sending the original email, or maybe especially if they didn't remember sending it?

Another one, this time stating that it's from "mailfilter@yourdomain.com":

---another spam---

Note: Forwarded message is attached.

An email you sent could not be delivered.
Subject: Hello

Delivery to the following address has failed...
user@RecipientDomain.com


Technical information about this permanent failure:


-- Transcript of session follows --

While talking to [some.server.com] :

>>> rcpt to: user@RecipientDomain.com
<<<>: Recipient address rejected: User unknown

---end spam---

Users are so accustomed to worrying thet they're "infected" every time the get a bounce (when in fact, often it's just "spoofing") that these fake spam bounces must have a huge click through rate.

Although it's difficult to block "backscatter", I have to imagine that these are relatively easy to block. All the HTML attachment includes is a refresh to their site, any content based scanner should pick them up pretty easily.

As for the user's perspective, the old rules (slightly modified) still pertain here.

If you do not know the sender, do not open the attachment.

With these new "bounce message" spams, you can modify the above rule to:

If you did not send the email, do not open any attachments.

If you DO know the sender, and it's not a file you requested, call them to see if they actually sent it. Especially if it's in the following formats: .exe, .pif, .zip, .rar, .bat, .pdf, .htm, .html.

Of course, these spam messages have .htm file attachments, so the above pertains to them as well. Although these are a simple spam, websites can be infected and spread malware through your browser. Always exercise extreme caution when opening .htm files.



-TEA
Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )