[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] SpamAssasin - path disclosure
- To: "'morning_wood'" <se_cur_ity@hotmail.com>, full-disclosure@lists.netsys.com
- Subject: RE: [Full-Disclosure] SpamAssasin - path disclosure
- From: Kane Lightowler <kane.lightowler@it.alstom.com.au>
- Date: Mon, 25 Aug 2003 06:53:05 +1000
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] SpamAssasin - path disclosure</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>As previously explained this is not spam assassin this is Trend Micro Interscan VirusWall</FONT>
</P>
<P><FONT SIZE=2><A HREF="http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm"; TARGET="_blank">http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm</A></FONT>
</P>
<BR>
<P><FONT SIZE=2>Regards,</FONT>
<BR><FONT SIZE=2>Kane Lightowler</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: morning_wood [<A HREF="mailto:se_cur_ity@hotmail.com";>mailto:se_cur_ity@hotmail.com</A>] </FONT>
<BR><FONT SIZE=2>Sent: Sunday, 24 August 2003 4:13 PM</FONT>
<BR><FONT SIZE=2>To: full-disclosure@lists.netsys.com</FONT>
<BR><FONT SIZE=2>Subject: [Full-Disclosure] SpamAssasin - path disclosure</FONT>
</P>
<BR>
<P><FONT SIZE=2>funny things... SpamAssassin results</FONT>
</P>
<P><FONT SIZE=2>1. spoof</FONT>
</P>
<P><FONT SIZE=2>80.179.152.112.forward.012.net.il (80.179.152.112)</FONT>
</P>
<P><FONT SIZE=2>Whois:</FONT>
</P>
<P><FONT SIZE=2>80.179.152.0 - 80.179.171.255</FONT>
<BR><FONT SIZE=2>Please Send Abuse/SPAM complaints</FONT>
<BR><FONT SIZE=2>To abuse@012.net</FONT>
<BR><FONT SIZE=2>DNS REG</FONT>
<BR><FONT SIZE=2>25 Hsivim st. Petach-Tiikva, Israel</FONT>
<BR><FONT SIZE=2>dnsreg@012.net.il</FONT>
</P>
<P><FONT SIZE=2>2. path reveal</FONT>
</P>
<P><FONT SIZE=2>The uncleanable file details.pif is moved to /etc/iscan/virus/virZNvE0n</FONT>
</P>
<P><FONT SIZE=2>-------------------------- snip -------------------------</FONT>
</P>
<P><FONT SIZE=2>Return-Path: <morning_wood@exploitlabs.com></FONT>
<BR><FONT SIZE=2>Received: (qmail 2425 invoked by uid 504); 21 Aug 2003 15:03:01 -0000</FONT>
<BR><FONT SIZE=2>Received: from localhost (HELO iceman.incidents.org) (127.0.0.1)</FONT>
<BR><FONT SIZE=2> by 0 with SMTP; 21 Aug 2003 15:03:01 -0000</FONT>
<BR><FONT SIZE=2>Received: (qmail 2164 invoked from network); 21 Aug 2003 15:02:30 -0000</FONT>
<BR><FONT SIZE=2>Received: from 80.179.152.112.forward.012.net.il (HELO SKUNK)</FONT>
<BR><FONT SIZE=2>(80.179.152.112)</FONT>
<BR><FONT SIZE=2> by 0 with SMTP; 21 Aug 2003 15:02:30 -0000</FONT>
<BR><FONT SIZE=2>From: <morning_wood@exploitlabs.com></FONT>
<BR><FONT SIZE=2>To: <intrusions-digest-subscribe@incidents.org></FONT>
<BR><FONT SIZE=2>Date: Thu, 7 Jan 1999 14:20:55 +0200</FONT>
<BR><FONT SIZE=2>X-MailScanner: Found to be clean</FONT>
<BR><FONT SIZE=2>Importance: Normal</FONT>
<BR><FONT SIZE=2>X-Mailer: Microsoft Outlook Express 6.00.2600.0000</FONT>
<BR><FONT SIZE=2>X-MSMail-Priority: Normal</FONT>
<BR><FONT SIZE=2>X-Priority: 3 (Normal)</FONT>
<BR><FONT SIZE=2>MIME-Version: 1.0</FONT>
<BR><FONT SIZE=2>Content-Type: multipart/mixed; boundary="_NextPart_000_0E151FE1"</FONT>
<BR><FONT SIZE=2>X-Spam-Status: Yes, hits=8.0 required=6.5 tests=AWL,DATE_IN_PAST_96_XX,FORGED_MUA_OUTLOOK,</FONT>
<BR><FONT SIZE=2> MIME_BOUND_NEXTPART,MISSING_MIMEOLE,NO_REAL_NAME,</FONT>
<BR><FONT SIZE=2> RAZOR2_CHECK</FONT>
<BR><FONT SIZE=2>version=2.53</FONT>
<BR><FONT SIZE=2>X-Spam-Level: ********</FONT>
<BR><FONT SIZE=2>X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)</FONT>
<BR><FONT SIZE=2>X-Spam-Report: ---- Start SpamAssassin results</FONT>
<BR><FONT SIZE=2> 8.00 points, 6.5 required;</FONT>
<BR><FONT SIZE=2> * 0.7 -- From: does not include a real name</FONT>
<BR><FONT SIZE=2> * 2.0 -- Listed in Razor2, see <A HREF="http://razor.sf.net/"; TARGET="_blank">http://razor.sf.net/</A></FONT>
<BR><FONT SIZE=2> * 2.0 -- Date: is 96 hours or more before Received: date</FONT>
<BR><FONT SIZE=2> * 3.3 -- Forged mail pretending to be from MS Outlook</FONT>
<BR><FONT SIZE=2> * 0.5 -- Message has X-MSMail-Priority, but no X-MimeOLE</FONT>
<BR><FONT SIZE=2> * 0.4 -- Spam tool pattern in MIME boundary</FONT>
<BR><FONT SIZE=2> * -0.9 -- AWL: Auto-whitelist adjustment</FONT>
<BR><FONT SIZE=2> ---- End of SpamAssassin results</FONT>
<BR><FONT SIZE=2>X-Spam-Flag: YES</FONT>
<BR><FONT SIZE=2>Subject: *****SPAM***** Your details</FONT>
</P>
<P><FONT SIZE=2>This is a multipart message in MIME format</FONT>
</P>
<P><FONT SIZE=2>--_NextPart_000_0E151FE1</FONT>
<BR><FONT SIZE=2>Content-Type: text/plain; charset=us-ascii</FONT>
<BR><FONT SIZE=2>Content-Transfer-Encoding: 7bit</FONT>
</P>
<P><FONT SIZE=2>------------------ Virus Warning Message (on the network)</FONT>
</P>
<P><FONT SIZE=2>Found virus WORM_SOBIG.F in file details.pif</FONT>
<BR><FONT SIZE=2>The uncleanable file details.pif is moved to /etc/iscan/virus/virZNvE0n</FONT>
</P>
<P><FONT SIZE=2>--------------------- snip ---------------------------</FONT>
</P>
<BR>
<P><FONT SIZE=2>Donnie Werner</FONT>
<BR><FONT SIZE=2><A HREF="http://e2-labs.com"; TARGET="_blank">http://e2-labs.com</A> </FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Full-Disclosure - We believe in it.</FONT>
<BR><FONT SIZE=2>Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html"; TARGET="_blank">http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
</P>
</BODY>
</HTML>
<HTML><BODY><BR>
CONFIDENTIALITY: This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient,please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium. <BR>
</BODY></HTML>