[121038] in North American Network Operators' Group
Re: New SPAM DOS
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Fri Jan 8 14:40:44 2010
Date: Fri, 08 Jan 2010 20:39:54 +0100 (CET)
To: owen@delong.com
From: sthaug@nethelp.no
In-Reply-To: <DD6D1B90-4DC8-4837-8AA2-ADAC0721E2AC@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
> services. For some reason, someone decided to try and send this message
> out to various internet recipients:
...
> Anyone seen this before? Any good techniques for combatting it?
If you look more closely at the messages I believe you'll find that
they are multipart/alternative, and that the second part gives a
slightly modified version of the owa URL. For instance, for my own
nethelp.no domain the first part of message says
http://nethelp.no/owa/...
but the second part specifies URLs like
http://nethelp.no.ujjikx.co.im/owa/...
http://nethelp.no.ujjiks.net.im/owa/...
http://nethelp.no.ikuu8w.com/owa/...
http://nethelp.no.ikuu8e.net/owa/...
This is a very old trick, seen lots of times in connection with
phishing sites, for instance.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
