Poorly Crafted Fake CNN News Updates
Amateurs....
As I was going through one of our spamtraps a few minutes ago I saw a brand new message come in which claimed to be a CNN News Update. This was especially interesting to me because none of our spamtraps subscribe to any updates from CNN (or any other news organization for that matter).
So I started to do a little digging....
Below are the (somewhat elided) headers:
Received: from unknown [219.87.137.170] (EHLO mail.tfmi.com.tw) by
XXXXXXXXXXXXX (XXXXXXXXXX) over TLS secured channel with ESMTP
id XXXXXXXXXXXXXXXXXXXXXXXXXX (envelope-from
<news@cnn.com>); Wed, 28 May 2008 11:32:13 -0600 (MDT)
Received: from User (dsl-KK-static-static-237.201.95.61.airtelbroadband.in
[61.95.201.237] (may be forged)) (authenticated bits=0) by mail.tfmi.com.tw
(8.12.5/8.12.8) with ESMTP id m4SHTkxC005178; Thu, 29 May 2008 01:29:49 +0800
If you are not sure how to read email message headers, here is basically how this message breaks down: It originated from a static DSL customer in India (dsl-KK-static-static-237.201.95.61.airtelbroadband.in) and routed through Taiwan (mail.tfmi.com.tw), then sent to our spamtrap.
Whoever is sending these spam messages either doesn't know what they are doing or is testing the waters for an upcoming spam/malware run. Here's why:
When I opened this message in an email client, the HTML within the message never attempted to render. Why? Because the content type of the message was set in the message header as plain text. This means that the email client should not attempt to render the HTML (show it as it would appear on a web page) rather display the raw HTML text to the user. Only the truly geeky, like me, would take the time to actually analyze this gibberish.
Also, the email had every link within the message (including the help text at the bottom of the message which is supposed to link to the CNN web site) pointed to a web site hosted in Italy. Here is an example taken directly from the email:
For assistance, go to <a href="hxxp://www.colectionarul.com/existenz1.html">CNN web page</a> and choose the "Help" link on any page.<br> If you do not want to recive any more news from CNN <a href="hxxp://www.colectionarul.com/existenz1.html">click here</a>!</span></font> <font color="#808080" face="Arial"></font></p>
There doesn't appear to be anything malicious on the page being linked to at colectionarul.com (at least right now), which leads me to believe that this was either someone who didn't know what they were doing and thus sent out a horribly broken spam message or someone who was doing a test run and that this was a prelude to more current event based social engineering tactics similar to what started the huge Storm Worm outbreaks in January 2007.
Categories: Spam
Comments
Re: Poorly Crafted Fake CNN News Updates
I think that someone must be practicing...
Today's small flood of fake-CNN spam is much 'better' in the sense that the HTML does render and the links all point to the CNN site. What are the odds that there's an image in there somewhere that's helping someone to build a mailing list, in preparation for a big spam blast? Either that, or an attempt to tick-off CNN?
Today's small flood of fake-CNN spam is much 'better' in the sense that the HTML does render and the links all point to the CNN site. What are the odds that there's an image in there somewhere that's helping someone to build a mailing list, in preparation for a big spam blast? Either that, or an attempt to tick-off CNN?
Posted by Jen on August 4, 2008 at 6:07 PM
