DHL

[Stephen Wolstenholme]

I have just started to get lots of tracking notifications from DHL.
I'm not expecting anything and the tracking references vary a lot so I
assume it's some sort of spam.

Anyone else seen this?

Steve

--
Neural Network Software. http://www.npsl1.com
EasyNN-plus. Neural Networks plus. http://www.easynn.com
SwingNN. Forecast with Neural Networks. http://www.swingnn.com
JustNN. Just Neural Networks. http://www.justnn.com

[Tony]

Stephen Wolstenholme <st...@npsl1.com> wrote on Thu, 24 May 2012 at
14:17:51:

>I have just started to get lots of tracking notifications from DHL.
>I'm not expecting anything and the tracking references vary a lot so I
>assume it's some sort of spam.
>
>Anyone else seen this?

Lots. Listed at VirusTotal as containing malware.

--
Tony

[rothers]

On Thu, 24 May 2012 14:17:51 +0100, Stephen Wolstenholme <st...@npsl1.com>
wrote:

>I have just started to get lots of tracking notifications from DHL.
>I'm not expecting anything and the tracking references vary a lot so I
>assume it's some sort of spam.
>
>Anyone else seen this?
>
>Steve

It's been around for ages, extract and run the attached .zip if you want some
fun :)

[Andy]

In message <m0dsr759kjces9dh9...@4ax.com>, Stephen
Wolstenholme <st...@npsl1.com> wrote

>I have just started to get lots of tracking notifications from DHL.
>I'm not expecting anything and the tracking references vary a lot so I
>assume it's some sort of spam.
>
>Anyone else seen this?
>

Oodles :(

It started maybe a week ago. I wonder if Demon have terminated the
spam-suppressing contract on their old mail server?

Elsewhere it is reported that the attachment is malware.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>

[Stephen Wolstenholme]

On Thu, 24 May 2012 14:43:51 +0100, Andy <an...@kitzbuhel.demon.co.uk>
wrote:

>In message <m0dsr759kjces9dh9...@4ax.com>, Stephen
>Wolstenholme <st...@npsl1.com> wrote
>>I have just started to get lots of tracking notifications from DHL.
>>I'm not expecting anything and the tracking references vary a lot so I
>>assume it's some sort of spam.
>>
>>Anyone else seen this?
>>
>Oodles :(
>
>It started maybe a week ago. I wonder if Demon have terminated the
>spam-suppressing contract on their old mail server?
>
>Elsewhere it is reported that the attachment is malware.

Since my first message I have found out from DHL that they have been
aware of the problem since 2010. They have nothing to with it.

Demon must have been catching all this DHL stuff as I've never seen it
before. Something has changed.

[Stephen Wolstenholme]

On Thu, 24 May 2012 14:48:07 +0100, rothers <ne...@whoknowswhere.com>
wrote:

No chance.

[Jim Tavendale]

On Thu, 24 May 2012 14:17:51 +0100, Stephen Wolstenholme

<st...@npsl1.com> broadcast:

>I have just started to get lots of tracking notifications from DHL.
>I'm not expecting anything and the tracking references vary a lot so I
>assume it's some sort of spam.
>
>Anyone else seen this?
>

Yes.

DHL is aware and issued this warning.

http://www.dhl.co.uk/en/express/resource_centre/fraud_alert/virus_alert.html

Regards,
Jim Tavendale

[John Hall]

In article <m0dsr759kjces9dh9...@4ax.com>,

Stephen Wolstenholme <st...@npsl1.com> writes:
>I have just started to get lots of tracking notifications from DHL.
>I'm not expecting anything and the tracking references vary a lot so I
>assume it's some sort of spam.
>
>Anyone else seen this?
>
>Steve
>

I've been getting them for several weeks. Most of them get taken out by
my own spam filtering, but a few get through.

It's a fair assumption that anything that you weren't expecting that
contains an attachment is best binned.
--
John Hall
Johnson: "Well, we had a good talk."
Boswell: "Yes, Sir, you tossed and gored several persons."
Dr Samuel Johnson (1709-84); James Boswell (1740-95)

[Martin Brown]

On 24/05/2012 16:47, Jim Tavendale wrote:
> On Thu, 24 May 2012 14:17:51 +0100, Stephen Wolstenholme
> <st...@npsl1.com> broadcast:
>
>> I have just started to get lots of tracking notifications from DHL.
>> I'm not expecting anything and the tracking references vary a lot so I
>> assume it's some sort of spam.
>>
>> Anyone else seen this?
>>
>
> Yes.

Almost everybody and not just Demon users.

> DHL is aware and issued this warning.
>
> http://www.dhl.co.uk/en/express/resource_centre/fraud_alert/virus_alert.html
>
> Regards,
> Jim Tavendale

I haven't seen any examples yet, but I am told that there is a Fedex
variant floating about today as well. Demon's filters are also letting a
fair proportion of Big8 stuff through today as well.
(.hinet.net .hk .tw .cn)

Have they forgotten to pay this months subscription or something?

--
Regards,
Martin Brown

[Ian Jackson]

In message <HZwvr.37402$Gm4....@newsfe01.iad>, Martin Brown
<|||newspam|||@nezumi.demon.co.uk> writes

Every day, I get several DHLs, plus loads more from extremely devout,
God-fearing people with very white Anglo-Saxon names, offering to give
me millions of pounds or US dollars if only I will allow them to let
their money rest for a while in my bank account.
--
Ian

[Martin Brown]

I have seen the odd one or two before, but yesterday something changed
and I got best part of a hundred in a few hours and same for Chinese
Big8 spam (and Halifax for good measure). The filters do seem to have
been adjusted adjusted and it is now down to a trickle again.

I did get a rather funny one from a genuine but spamming Chinese
manufacturer which included the following priceless phrase " We are
factory and product Hardware Plastic PTFE Copper Garment etc etc.". I am
tempted to order an ISO9001 suit in PTFE with a copper waistcoat.

Whilst I can believe that there is some natural variation in targeting
it seems more than just coincidence. A very long list of TP msgids was
treated to this wonder dross yesterday and they all got through. In fact
they all got two independently sent copies of the same msgs. The DHL
spam was also bypassing BT filters yesterday too or so I am told.

--
Regards,
Martin Brown

[J. P. Gilliver (John)]

In message <ecksr7p9a2t89p8uu...@4ax.com>, Stephen

Wolstenholme <st...@npsl1.com> writes:
>On Thu, 24 May 2012 14:48:07 +0100, rothers <ne...@whoknowswhere.com>
>wrote:
>
>>On Thu, 24 May 2012 14:17:51 +0100, Stephen Wolstenholme <st...@npsl1.com>
>>wrote:
>>
>>>I have just started to get lots of tracking notifications from DHL.
>>>I'm not expecting anything and the tracking references vary a lot so I
>>>assume it's some sort of spam.
>>>
>>>Anyone else seen this?
>>>
>>>Steve
>>
>>It's been around for ages, extract and run the attached .zip if you want some
>>fun :)
>
>No chance.
>
>Steve
>

My attitude too, but out of interest, what does it do?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Experience is the comb life gives you after you lose your hair. -Judith Stearn

[John Hall]

In article <m83RLLEQ...@g3ohx.demon.co.uk>,

Ian Jackson <ianREMOVET...@g3ohx.demon.co.uk> writes:
>Every day, I get several DHLs, plus loads more from extremely
>devout, God-fearing people with very white Anglo-Saxon names,
>offering to give me millions of pounds or US dollars if only I will
>allow them to let their money rest for a while in my bank account.

As well as those, I recently had one purporting to come from Colonel
Gadaffi's widow. And only today I've received one supposedly "FROM
ROBERT MUELLER III (CODE..2301..FBI)
EXECUTIVE DIRECTOR FBI FEDERAL BUREAU
OF INVESTIGATION FBI.WASHINGTON DC." As you can see, I mix with a better
class of phisher. :)

[Ian Jackson]

In message <NujKfIDU...@jhall.demon.co.uk.invalid>, John Hall
<nospam...@jhall.co.uk> writes

>In article <m83RLLEQ...@g3ohx.demon.co.uk>,
> Ian Jackson <ianREMOVET...@g3ohx.demon.co.uk> writes:
>>Every day, I get several DHLs, plus loads more from extremely
>>devout, God-fearing people with very white Anglo-Saxon names,
>>offering to give me millions of pounds or US dollars if only I will
>>allow them to let their money rest for a while in my bank account.
>
>As well as those, I recently had one purporting to come from Colonel
>Gadaffi's widow. And only today I've received one supposedly "FROM
>ROBERT MUELLER III (CODE..2301..FBI)
>EXECUTIVE DIRECTOR FBI FEDERAL BUREAU
>OF INVESTIGATION FBI.WASHINGTON DC." As you can see, I mix with a better
>class of phisher. :)

I've never had one from Colonel Gadaffi's widow (wow!), but I'm pretty
sure I regularly get the other one (or similar). I have to admit that I
don't really bother to read them properly.

A lot of these phishing mails are getting totally brazen about the
information they want me to supply. The lists of personal details
required seem to be getting longer and longer, and more... um......
detailed. I'm sure that, one day, they'll be asking me for my shoe size
and my inside leg measurement.
--
Ian

[Bruce Goatly]

Ian Jackson wrote:

> A lot of these phishing mails are getting totally brazen about the
> information they want me to supply. The lists of personal details
> required seem to be getting longer and longer, and more... um......
> detailed. I'm sure that, one day, they'll be asking me for my shoe size
> and my inside leg measurement.

Out of interest, what are they?

--
Bruce [waiting, pen poised]

[Ian Jackson]

In message <qKSvr.96187$8q1....@fx29.am4>, Bruce Goatly
<s...@goatly.co.uk> writes

12 and 40". Want to make something of it?
--
Ian

[Bruce Goatly]

Would a nice shoe 'n' trouser combo suit you, sir?

--
Bruce

[Andy]

In message <NujKfIDU...@jhall.demon.co.uk.invalid>, John Hall

<nospam...@jhall.co.uk> wrote

>In article <m83RLLEQ...@g3ohx.demon.co.uk>,
> Ian Jackson <ianREMOVET...@g3ohx.demon.co.uk> writes:
>>Every day, I get several DHLs, plus loads more from extremely
>>devout, God-fearing people with very white Anglo-Saxon names,
>>offering to give me millions of pounds or US dollars if only I will
>>allow them to let their money rest for a while in my bank account.
>
>As well as those, I recently had one purporting to come from Colonel
>Gadaffi's widow. And only today I've received one supposedly "FROM
>ROBERT MUELLER III (CODE..2301..FBI)
>EXECUTIVE DIRECTOR FBI FEDERAL BUREAU
>OF INVESTIGATION FBI.WASHINGTON DC." As you can see, I mix with a better
>class of phisher. :)

Huh. I am emailed weekly by Ban Ki-Moon.

[Andy]

In message <j4hQqKLJ...@g3ohx.demon.co.uk>, Ian Jackson
<ianREMOVET...@g3ohx.demon.co.uk> wrote
[]

> I'm sure that, one day, they'll be asking me for my shoe size and my
>inside leg measurement.

Careful you don't mix them up...

[Dr J R Stockton]

In demon.service message <NujKfIDU...@jhall.demon.co.uk.invalid>,
Fri, 25 May 2012 19:33:56, John Hall <nospam...@jhall.co.uk> posted:

>In article <m83RLLEQ...@g3ohx.demon.co.uk>,
> Ian Jackson <ianREMOVET...@g3ohx.demon.co.uk> writes:
>>Every day, I get several DHLs, plus loads more from extremely
>>devout, God-fearing people with very white Anglo-Saxon names,
>>offering to give me millions of pounds or US dollars if only I will
>>allow them to let their money rest for a while in my bank account.
>
>As well as those, I recently had one purporting to come from Colonel
>Gadaffi's widow. And only today I've received one supposedly "FROM
>ROBERT MUELLER III (CODE..2301..FBI)
>EXECUTIVE DIRECTOR FBI FEDERAL BUREAU
>OF INVESTIGATION FBI.WASHINGTON DC." As you can see, I mix with a better
>class of phisher. :)

I think I can trump you with a Koffi Annan - who must have a bouncy "f"
key. But perhaps not with my George Osborne.

Readers of Larry Niven might be amused by the maiden name of Mueller's
mother.

--
(c) John Stockton, nr London, UK. ?@merlyn.demon.co.uk Turnpike v6.05.
Website <http://www.merlyn.demon.co.uk/> - w. FAQish topics, links, acronyms
PAS EXE etc. : <http://www.merlyn.demon.co.uk/programs/> - see in 00index.htm
Dates - miscdate.htm estrdate.htm js-dates.htm pas-time.htm critdate.htm etc.

[Martin Brown]

On 24/05/2012 22:11, Ian Jackson wrote:

> In message <HZwvr.37402$Gm4....@newsfe01.iad>, Martin Brown
> <|||newspam|||@nezumi.demon.co.uk> writes

>> I haven't seen any examples yet, but I am told that there is a Fedex
>> variant floating about today as well. Demon's filters are also letting
>> a fair proportion of Big8 stuff through today as well.
>> (.hinet.net .hk .tw .cn)
>>
>> Have they forgotten to pay this months subscription or something?
>>
> Every day, I get several DHLs, plus loads more from extremely devout,
> God-fearing people with very white Anglo-Saxon names, offering to give
> me millions of pounds or US dollars if only I will allow them to let
> their money rest for a while in my bank account.

I get them too, but not in sufficient quantity to be annoying.

At the moment the only thing getting through in annoying quantities to
me is Big5 spam in Chinese base64 encoding (30 last night). They all
have one thing in common which appears to prevent Demons antispam from
working (msg content is short and in most cases identical). There are
two "From: " headers one of them always claims to be 3 random letters
and the other many more random letters. Sample header attached.

From - Sun May 27 05:06:47 2012
X-Account-Key: account4
X-UIDL: 1SYUbE-2qFknw-07-EVv
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-Path: <thic...@thickcash.com>
Received: from punt3.mail.demon.net by mailstore
for m......@nezumi.demon.co.uk id 1SYUbE-2qFknw-07-EVv;
Sun, 27 May 2012 03:57:00 +0000
Received: from [194.217.242.106] (lhlo=anchor-hub.mail.demon.net)
by punt3.mail.demon.net with lmtp id 1SYUbE-2qFknw-07
for m......@nezumi.demon.co.uk; Sun, 27 May 2012 03:57:00 +0000
Received: from [216.177.153.5] (helo=ozzie.simplecom.net)
by anchor-hub.mail.demon.net with esmtp id 1SYUbD-0001fV-Rl
for m......@nezumi.demon.co.uk; Sun, 27 May 2012 03:57:00 +0000
Received: from f-225224966f204 (122-118-182-28.dynamic.hinet.net
[122.118.182.28])
(authenticated bits=0)
by ozzie.simplecom.net (8.13.8/8.13.8) with ESMTP id q4R1PbQB012305;
Sat, 26 May 2012 20:26:41 -0500
Message-Id: <201205270126....@ozzie.simplecom.net>
From: "fpxatbivscqy" <tw-edm...@yahoo-inc.com>
From: "kgb" <nor...@email.yahoo-inc.com>
To: peace....@msa.hinet.net
Subject: =?BIG5?B?qGukSLPMt1Gtbqq6saGkSLhgIMKnqqsgpf7AXaRVsf6ku6fpISE=?=
Date: Sun, 27 May 2012 09:26:46 +0800
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Content-Type: text/html;
charset="Big5"
Content-Transfer-Encoding: base64
X-Priority: 1
X-MSMail-Priority: Highest
X-Mailer: Microsoft Outlook Express 6.00.3790.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-CNFS-Analysis: v=1.0 c=1 a=h4BhjouQ5y0A:10 a=Hypp6HKwPKgA:10
a=jPJDawAOAc8A:10 a=yzEQj7oRC6AA:10 a=CYtdG_-2rjoA:10 a=K2vTPFBP1oAA:10
a=CjxXgO3LAAAA:8 a=Id8GVSMAAAAA:8 a=EoKvt9gEt5c-bsjGNmwA:9 a=4VmKGKSqCdEA:10

Whilst they are easily filtered against it seems to me that they
*should* be easy prey for a signature matching antispam filter.
(I am killing on received for m...... header at present)

--
Regards,
Martin Brown

[David Gibson]

In article "DHL" in <demon.service>, on Sat, 26 May 2012
Dr J R Stockton <repl...@merlyn.demon.co.uk.not.invalid> writes

>Readers of Larry Niven might be amused by the maiden name of Mueller's
>mother.

Not "amused", as such, but certainly recognised it :-)

--
David Gibson
Spam-cloaked message: The Reply-to address
will be valid for a short while

[is_len_in?]

On Thursday, May 24, 2012 2:17:51 PM UTC+1, Stephen Wolstenholme wrote:
> I have just started to get lots of tracking notifications from DHL.
> I'm not expecting anything and the tracking references vary a lot so I
> assume it's some sort of spam.
>
> Anyone else seen this?
>
> Steve
>

I did. Then it stopped. It's just started again in the last hour or two.
Rob

[Martin Brown]

On 24/05/2012 18:45, John Hall wrote:
> In article<m0dsr759kjces9dh9...@4ax.com>,
> Stephen Wolstenholme<st...@npsl1.com> writes:
>> I have just started to get lots of tracking notifications from DHL.
>> I'm not expecting anything and the tracking references vary a lot so I
>> assume it's some sort of spam.
>>
>> Anyone else seen this?
>>
>> Steve
>>
>
> I've been getting them for several weeks. Most of them get taken out by
> my own spam filtering, but a few get through.
>
> It's a fair assumption that anything that you weren't expecting that
> contains an attachment is best binned.

They seem to have mutated again and are now getting past Demons filters
in vast numbers as of 1300 BST today.

--
Regards,
Martin Brown

[Adrian]

In message <bbe5d2a0-79e3-4de6...@googlegroups.com>,
is_len_in? <jacobr...@gmail.com> writes

I've just had a deluge of them. The strange thing is, that they've
almost all been sent to old Demon Mids, which in recent years have seen
very little use.


Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

[pe...@nospam.demon.co.uk]

In article <bbe5d2a0-79e3-4de6...@googlegroups.com>

I just had one (not to a Demon mail address) which AVG kindly
quarantined; a 150K+ attachment containing a known trojan whose name
I've already forgotten.

As always with such emails, beware!

Pete
--
Believe those who are seeking the truth.
Doubt those who find it. - André Gide

[Ian Jackson]

In message <133840...@nospam.demon.co.uk>, pe...@nospam.demon.co.uk
writes

>In article <bbe5d2a0-79e3-4de6...@googlegroups.com>
> jacobr...@gmail.com "is_len_in?" writes:
>
>> On Thursday, May 24, 2012 2:17:51 PM UTC+1, Stephen Wolstenholme wrote:
>> > I have just started to get lots of tracking notifications from DHL.
>> > I'm not expecting anything and the tracking references vary a lot so I
>> > assume it's some sort of spam.
>> >
>> > Anyone else seen this?
>> >
>> > Steve
>> >
>> I did. Then it stopped. It's just started again in the last hour or two.
>> Rob
>
>I just had one (not to a Demon mail address) which AVG kindly
>quarantined; a 150K+ attachment containing a known trojan whose name
>I've already forgotten.
>
>As always with such emails, beware!
>

My AV says it is Win32/Spy.Zbot.YW trojan.
--
Ian

[Martin Brown]

On 30/05/2012 21:10, pe...@nospam.demon.co.uk wrote:
> In article<bbe5d2a0-79e3-4de6...@googlegroups.com>
> jacobr...@gmail.com "is_len_in?" writes:
>
>> On Thursday, May 24, 2012 2:17:51 PM UTC+1, Stephen Wolstenholme wrote:
>>> I have just started to get lots of tracking notifications from DHL.
>>> I'm not expecting anything and the tracking references vary a lot so I
>>> assume it's some sort of spam.
>>>
>>> Anyone else seen this?
>>>
>>> Steve
>>>
>> I did. Then it stopped. It's just started again in the last hour or two.
>> Rob
>
> I just had one (not to a Demon mail address) which AVG kindly
> quarantined; a 150K+ attachment containing a known trojan whose name
> I've already forgotten.
>
> As always with such emails, beware!

It has just transmuted into a variant from "Booking.com" there may be
others in the wild now - it is clearly evolving and doing it fast enough
to keep on beating the external border filters :(


--
Regards,
Martin Brown

[Andy]

In message <XdGxr.1229$Xe4....@newsfe17.iad>, Martin Brown
<|||newspam|||@nezumi.demon.co.uk> wrote
[]

>It has just transmuted into a variant from "Booking.com" there may be
>others in the wild now - it is clearly evolving and doing it fast
>enough to keep on beating the external border filters :(
>
>

I'm suspicious of "toprooms" who purport to offer cheap accommodation.

[Martin Brown]

On 31/05/2012 12:04, Andy wrote:
> In message <XdGxr.1229$Xe4....@newsfe17.iad>, Martin Brown
> <|||newspam|||@nezumi.demon.co.uk> wrote
> []
>> It has just transmuted into a variant from "Booking.com" there may be
>> others in the wild now - it is clearly evolving and doing it fast
>> enough to keep on beating the external border filters :(
>>
>>
> I'm suspicious of "toprooms" who purport to offer cheap accommodation.

I feed any online retailer I don't trust (ie all of them) a uniquely
tagged email address and keep all vendors emails separately. I have so
far only had two such tags leak out into the wild and one of them was
because the retailers own website was hacked and email data exposed.

Some of the online bookings sites can have real bargains...

--
Regards,
Martin Brown

[Peter Ceresole]

Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:

> It has just transmuted into a variant from "Booking.com"

Yup. Got four of those yesterday, for the first time.
--
Peter

[Tony]

Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote on Thu, 31 May
2012 at 09:46:48:

>It has just transmuted into a variant from "Booking.com" there may be
>others in the wild now - it is clearly evolving and doing it fast
>enough to keep on beating the external border filters :(

Now blogged by Sophos:

<http://nakedsecurity.sophos.com/2012/05/31/hotel-booking-confirmation-em
ails-aim-to-infect-your-computer-watch-out/>
--
Tony

[Tony]

It looks like we should all be expecting more DHL deliveries, according
to the Sophos blog again
<http://nakedsecurity.sophos.com/2012/06/11/dhl-international-delivery-em
ail-beware-widespread-malware-attack/>.
--
Tony