13 October 2009

SPAM: Server Upgrade

I have been alerted to a couple of users who are receiving spam that contains links to external websites. the message is as follows:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.<your domain>.<various>/ssl/id=73616375-<email>-patch2844683.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

I have noticed the following domain names being used so far which I have blocked on my proxy server:

*.admin-db.net
*.1ssl-certs.com

According to: http://www.dshield.org/diary.html?storyid=7333

The link leads the user to a download which disables AV and has Trojan / key logger characteristics.

Once again the URL contains the users email address so the site will probably log the entry to a db for future spamming.

I would suggest that you add all the domain names that you encounter in these messages to your proxy blocked list to prevent users from giving their email addresses away for future attacks.