Archive for the 'SPAM' Category

Beware of Akbank Phishing!

Published on 05/09/2011 in Phishing, SPAM and SurGATE. 0 Comments

Recently, we are experiencing phishing mail claims that coming from Akbank.

If you receive an email like following, please simply delete!

If you are SurGATE  customer, no worry! SurGATE already catched the spam!

As SurGATE Labs team, we pushed additional spam signature for  this phishing attack for safety.

X-Sender-Info: <244794953@icpu1178.kundenserver.de>
Date: Mon, 05 Sep 2011 10:26:36 +0200
Message-Id: <4AgJk2-1R0UVo2CMt-00064w@icpu1178.kundenserver.de>
Precedence: bulk
To: myemail@domain.com
Subject: Hesabinizi dogrulamak
From: Akbank
 Lütfen buraya tıklayın

Facebook Phishing Scam

Published on 12/04/2011 in Facebook, SPAM and SurGATE. 0 Comments Tags: , , .

Facebook is the most popular social-networking web site for people as well as spammers!

SurGATE Labs reports that attackers sending mail from facebook.com domains every minutes.  So double-check the mails claims that are coming from facebook. Here is some from address that used by spammers:

2011-04-12 11:19:15: [56837-1302596353-962595] remote ip 203.86.153.52 rejected by spf policy (sender: help@facebook.com)
2011-04-12 11:19:15: [56855-1302596355-73646] remote ip 213.198.237.105 rejected by spf policy (sender: support@facebook.com)
2011-04-12 11:19:26: [56940-1302596364-488172] remote ip 94.96.51.203 rejected by spf policy (sender: service@facebook.com)
2011-04-12 11:19:40: [57169-1302596379-943990] remote ip 83.54.100.245 rejected by spf policy (sender: helping@facebook.com)
2011-04-12 11:19:42: [57109-1302596379-712238] remote ip 77.44.103.7 rejected by spf policy (sender: manager@facebook.com)
2011-04-12 11:19:46: [57245-1302596385-926946] remote ip 173.21.215.231 rejected by spf policy (sender: service@facebook.com)
2011-04-12 11:19:52: [57307-1302596390-803589] remote ip 67.232.199.98 rejected by spf policy (sender: account@facebook.com)
2011-04-12 11:19:56: [57366-1302596396-48382] remote ip 203.86.153.52 rejected by spf policy (sender: helping@facebook.com)
2011-04-12 11:20:05: [57586-1302596404-934744] remote ip 203.86.153.52 rejected by spf policy (sender: account@facebook.com)
2011-04-12 11:20:14: [57798-1302596414-162892] remote ip 99.130.143.118 rejected by spf policy (sender: official@facebook.com)
2011-04-12 11:20:20: [57857-1302596417-600338] remote ip 203.86.153.52 rejected by spf policy (sender: account@facebook.com)
2011-04-12 11:20:32: [58033-1302596432-571331] remote ip 109.90.66.165 rejected by spf policy (sender: help@facebook.com)
2011-04-12 11:20:40: [57983-1302596429-56932] remote ip 123.231.251.118 rejected by spf policy (sender: Nichollet@rambler.ru)
2011-04-12 11:20:48: [58244-1302596448-288612] remote ip 66.206.126.182 rejected by spf policy (sender: sign@facebook.com)
2011-04-12 11:21:02: [58337-1302596460-899499] remote ip 79.121.187.116 rejected by spf policy (sender: information@facebook.com)
2011-04-12 11:21:04: [58555-1302596464-837367] remote ip 82.222.9.122 rejected by spf policy (sender: news@facebook.com)
2011-04-12 11:21:13: [58638-1302596473-285246] remote ip 69.137.180.173 rejected by spf policy (sender: official@facebook.com)
2011-04-12 11:21:18: [58713-1302596478-538290] remote ip 90.148.247.7 rejected by spf policy (sender: cevahirshipping@superonline.com)
2011-04-12 11:21:20: [58745-1302596480-427855] remote ip 82.222.9.122 rejected by spf policy (sender: account@facebook.com)
2011-04-12 11:21:23: [58754-1302596482-269801] remote ip 125.167.29.223 rejected by spf policy (sender: service@facebook.com)
2011-04-12 11:21:28: [58855-1302596488-134822] remote ip 76.103.235.97 rejected by spf policy (sender: helping@facebook.com)

Facebook Phishing Scam

“Gaddafi’s cousin” scam.

Published on 08/04/2011 in SPAM and SurGATE. 0 Comments

Spammers are abusing everything in the world!

New target of spammer is  “gaddafi’s cousin”!. Here is an example mail blocked by SurGATE Messaging Gateway

“From: “Ahmed Kaddaf Al-Dam” <ahmedkaddaf@eml.cc>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090608 Thunderbird/2.0.0.22
MIME-Version: 1.0
To: “Webmaster” <core@domain.com>
Subject: [!! SPAM] CONFIDENTIAL

Greetings,

My name is Ahmed Kaddaf Al-Dam, Gaddafi’s cousin. I was a memeber of
Gaddafi’s inner cabinet until the international community began freezing
Libyan assets and of those considered to be Gaddafi’s associates. I have
lost nearly everything i have worked for all my life and now i am beign
hunted by Gaddafi’s special forces and sons who sees my defection as a
betrayal to their father.

My aim of contacting you, is to stand as a beneficiary for a multi-million
dollar stash i have overseas. I am taking this decision because it is my
last play. I have no other option but to source for a foreign silent partner
to recieive these funds. Trust is a very important issue here. Upon your
acceptance to my propsal, i will disclose the amount involved, whereabouts
and pick-up procedures of the money. Please kindly get back to me at my
private email address ahmed.kaddaf@safe-mail.net

Yours Sincerely
Ahmed Kaddaf

Below are a few links for verification
http://www.bbc.co.uk/news/world-africa-12860837
http://www.cbc.ca/news/business/story/2011/03/01/libya-cda-assets.html

The spammers are using Linux man pages in the spam to bypass bayesian

Published on 09/02/2011 in Quarantine, SPAM and SurGATE. 0 Comments Tags: , .

Hello,

Today, while we are testing quarantine webmail feature in our labs, I got a mail marked as a certainly spam in my SurGATE quarantine mailbox.

The funny part  is here, the  spammer puts the full bash man page to bypass or poison Bayesian database in html div area like below.

But he could not delivery the spam to our mailbox. It was matched by our spam signature database based on url and some other unique patterns in the mail.

</p><p align=”center”><em>YoshiBlade</em> is located at P.O Box 600991 San Diego, CA 92160.<br>
To be Removed from future YoshiBlade mailings, please Click Here!

<img src=”http://SPAMURL/images/a9a4f56d217106465337951325968172954699.gif” border=”0″>
</body>
</html>
<div style=”color:white; font-size:1%; line-height:1px”>

WeNeedYourConfirmationFor1500Deposit
WeNeedYourConfirmationFor1500Deposit
WeNeedYourConfirmationFor1500Deposit

Search

Linux
HomeComputing & TechnologyLinux

SharePrint
LinuxGet StartedExplore LinuxBecome a Guru
Filed In:Linux
Linux / Unix Command: bash

Command Library
NAME

bash – GNU Bourne-Again SHell
SYNOPSIS

….

</p><p align=”center”><em>YoshiBlade</em> is located at P.O Box 600991 San Diego, CA 92160.<br>
To be Removed from future YoshiBlade mailings, please Click Here!

<img src=”http://ihi219.just212011.info/images/a9a4f56d217106465337951325968172954699.gif” border=”0″>
</body>
</html>
<div style=”color:white; font-size:1%; line-height:1px”>

WeNeedYourConfirmationFor1500Deposit
WeNeedYourConfirmationFor1500Deposit
WeNeedYourConfirmationFor1500Deposit

Search

Linux
HomeComputing & TechnologyLinux

SharePrint
LinuxGet StartedExplore LinuxBecome a Guru
Filed In:Linux
Linux / Unix Command: bash

Command Library
NAME

bash – GNU Bourne-Again SHell
SYNOPSIS