spam source:
dritz@glimmer:~% whois -h whois.cymru.com 81.6.6.140 ; date
AS | IP | AS Name
1836 | 81.6.6.140 | TIC green.ch The Internet Company Autonomous System
Tue Jan 13 02:15:48 UTC 2009
============================================================================
[ SpamCop V2 ]
This message is brief for your comfort. Please use links below for details.
User-targeted report, see notes, if any.
http://www.spamcop.net/w3m?i=z3783921396z4b001cb138c077f7a186e8be424e4ac8z
81.6.6.140 is open proxy, see: http://www.spamcop.net/mky-proxies.html
[ Comments from recipient regarding 81.6.6.140 ]
> dritz@glimmer:~% blq -ant 81.6.6.140 ; date
> 81.6.6.140 : cbl.abuseat.org : BLOCKED (127.0.0.2)
> Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=81.6.6.140
> => This is identified as the Cutwail spambot
> 81.6.6.140 : zen.spamhaus.org : BLOCKED (127.0.0.4)
> http://www.spamhaus.org/query/bl?ip=81.6.6.140
> 81.6.6.140 : bl.spamcop.net : BLOCKED (127.0.0.2)
> Blocked - see http://www.spamcop.net/bl.shtml?81.6.6.140
> 81.6.6.140 : psbl.surriel.com : BLOCKED (127.0.0.2)
> Listed in PSBL, see http://psbl.surriel.com/listing?ip=81.6.6.140
> Tue Jan 13 02:07:31 UTC 2009
>
[ Additional comments from recipient ]
> <https://www.virustotal.com/analisis/d477e31838e0f00daed12d2d5aa34867>
> File NorthwestAirlines.zip received on 01.13.2009 02:44:05 (CET)
> Current status: finished
> Result: 10/38 (26.32%)
>
> Antivirus Version Last Update Result
> a-squared 4.0.0.73 2009.01.13 Win32.Outbreak!IK
> AhnLab-V3 2009.1.10.0 2009.01.13 -
> AntiVir 7.9.0.54 2009.01.12 -
> Authentium 5.1.0.4 2009.01.12 W32/Trojan-Gypikon-based.BA!Maximus
> Avast 4.8.1281.0 2009.01.12 -
> AVG 8.0.0.229 2009.01.13 Pakes.ARF
> BitDefender 7.2 2009.01.13 -
> CAT-QuickHeal 10.00 2009.01.12 -
> ClamAV 0.94.1 2009.01.12 -
> Comodo 919 2009.01.12 -
> DrWeb 4.44.0.09170 2009.01.12 -
> eSafe 7.0.17.0 2009.01.12 -
> eTrust-Vet 31.6.6304 2009.01.12 -
> F-Prot 4.4.4.56 2009.01.12 W32/Trojan-Gypikon-based.BA!Maximus
> F-Secure 8.0.14470.0 2009.01.13 -
> Fortinet 3.117.0.0 2009.01.13 -
> GData 19 2009.01.13 -
> Ikarus T3.1.1.45.0 2009.01.13 Win32.Outbreak
> K7AntiVirus 7.10.584 2009.01.09 -
> Kaspersky 7.0.0.125 2009.01.13 Trojan-Spy.Win32.Zbot.jzb
> McAfee 5493 2009.01.12 -
> McAfee+Artemis 5493 2009.01.12 -
> Microsoft 1.4205 2009.01.13 PWS:Win32/Zbot.gen!R
> NOD32 3760 2009.01.12 -
> Norman 5.93.01 2009.01.12 -
> Panda 9.4.3.3 2009.01.12 -
> PCTools 4.4.2.0 2009.01.12 -
> Prevx1 V2 2009.01.13 -
> Rising 21.12.02.00 2009.01.12 -
> SecureWeb-Gateway 6.7.6 2009.01.12 -
> Sophos 4.37.0 2009.01.13 Troj/Agent-IPH
> Sunbelt 3.2.1831.2 2009.01.09 RiskTool.Win32.ProcessPatcher.Nor!cobra (v)
> Symantec 10 2009.01.13 Backdoor.Bifrose
> TheHacker 6.3.1.4.218 2009.01.11 -
> TrendMicro 8.700.0.1004 2009.01.12 -
> VBA32 3.12.8.10 2009.01.12 -
> ViRobot 2009.1.12.1554 2009.01.12 -
> VirusBuster 4.5.11.0 2009.01.12 -
>
> Additional information
> File size: 63696 bytes
> MD5...: 24cbe417206dec89b9bf320183025ef4
> SHA1..: 21273916a19ddf05c8823e7edb68f26084563983
> SHA256: 760d64f51e44c463bf6751123c76bdec43ca92719cdded73fc0135a29e8175f3
> SHA512: d61fdc13ad7ed87009d6be2261b6f27fe97da08438419dc0616d23a1be2f1b2042996e8e11236c8a027c635a24ffaa2b442f0f65887fc8698c0e46a7367951f3
> ssdeep: 1536:NMHK7OLz7tRcOBYu2fq90VEbBZ89VywqvLcyUp+YY61Kr:NwTt3Ytq90VE9SPywqzcyUhY2O
> PEiD..: -
> TrID..: File type identification
> ZIP compressed archive (100.0%)
> PEInfo: -
[ Offending message ]
Return-Path: <r...@blountortho.com>
X-Original-To: x
Delivered-To: x.local
Received: from glimmer.mako.ath.cx (localhost [127.0.0.1])
by glimmer.local (Postfix) with ESMTP id DA7C84114A9
for <x>; Mon, 12 Jan 2009 19:48:42 -0600 (CST)
Received: from pop.mindspring.com
by glimmer.mako.ath.cx with POP3 (fetchmail-6.3.8)
for <x> (single-drop); Mon, 12 Jan 2009 19:48:42 -0600 (CST)
Received: from strange.mail.mindspring.net ([127.0.0.1])
by strange.mail.mindspring.net (EarthLink SMTP Server) with SMTP id 1lmym74d03Nl3oW0; Mon, 12 Jan 2009 20:46:11 -0500 (EST)
Received: from zux006-006-140.adsl.green.ch ([81.6.6.140])
by strange.mail.mindspring.net (EarthLink SMTP Server) with ESMTP id 1lmylX2Va3Nl3oW1; Mon, 12 Jan 2009 20:46:03 -0500 (EST)
Received: from [81.6.6.140] by peerbu03.peertopeer.net; Tue, 13 Jan 2009 02:46:08 +0100
From: "Northwest Airlines" <tic...@nwa.com>
To: <x>
Subject: E-ticket #4180775714
Date: Tue, 13 Jan 2009 02:46:08 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01C97529.16005800"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6QE5QGV9EPSKKIRA1R58M840LTG==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Message-ID: <01c9__________________0651@rdl>
X-ELNK-Received-Info: avn=CMU-7435-20090112;
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 3
- ------=_NextPart_000_000E_01C97529.16005800
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
Hello!
Thank you for using our new service "Buy Northwest Airlines ticket Online" on our website.
Your account has been created:
Your login: x
Your password: passFK1I
Your credit card has been charged for $498.74.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Joan Pearce
Northwest Airlines
- ------=_NextPart_000_000E_01C97529.16005800
Content-Type: Text/Plain; charset=US-ASCII
X-Content-Type: application/zip;
name="NorthwestAirlines.zip"
X-Content-Transfer-Encoding: base64
X-Content-Disposition: attachment;
filename="NorthwestAirlines.zip"
[ The following attachment was DELETED when this message was saved: ]
[ A Application/ZIP (Name="NorthwestAirlines.zip") segment of about 65 ]
>>> Virus 'Troj/Agent-IPH' found in file NorthwestAirlines.zip/NorthwestAirlines.exe
>>> Virus 'Troj/Agent-IPH' found in file NorthwestAirlines.exe (Sophos)
- ------=_NextPart_000_000E_01C97529.16005800--
- --
David Ritz <dritz+...@mindspring.com>
Be kind to animals; kiss a shark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>
iD8DBQFJa/mmUrwpmRoS3usRAvxDAJ4lRhkklVRIcwOWmuUA4fPBK5HhGwCfaVqz
gcPbOnr9OI3yd6ZNgDb22kw=
=IHKD
-----END PGP SIGNATURE-----
--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/