garan.org

Today I've seen a couple of instances virus turning up as a spam mail. It's disguised as 'Greeting Card.exe', 'Flash Postcard.exe' or similar and most importantly is not being detected by the latest version of AVG. I have emailed the executable off to the vendors to get it added.

In the meantime, normal advice follows - don't open any attachments from someone that you don't 120% trust. Do not open any attachments that have any kind of dodgy looking file extension like .exe. In short don't open anything unless you are completely sure that you know what it is and even then think twice!

I've been seeing a lot of obfuscated spam over the last week or so. It's led me to write and test my first spamassassin rules:


body ACKME_OBFDRUGS9a m/\bVi([_a-zA-Z]{2}a|a[_a-zA-Z]{2})gra\b/i
describe ACKME_OBFDRUGS9a obfuscated drug names ViaXXgra or ViXXagra
score ACKME_OBFDRUGS9a 1.0

body ACKME_OBFDRUGS9b m/\bV([_a-zA-Z]{2}a|a[_a-zA-Z]{2})lium\b/i
describe ACKME_OBFDRUGS9b obfuscated drug names VaXXlium or VXXalium
score ACKME_OBFDRUGS9b 1.0

body ACKME_OBFDRUGS9c m/\bCi([_a-zA-Z]{2}a|a[_a-zA-Z]{2})lis\b/i
describe ACKME_OBFDRUGS9c obfuscated drug names CiXXalis or CiaXXlis
score ACKME_OBFDRUGS9c 1.0

body ACKME_OBFDRUGS9d m/\bAm([_a-zA-Z]{2}b|b[_a-zA-Z]{2})ien\b/i
describe ACKME_OBFDRUGS9d obfuscated drug names AmXXbien or AmbXXien
score ACKME_OBFDRUGS9d 1.0

body ACKME_OBFDRUGS9e m/\bX([_a-zA-Z]{2}a|a[_a-zA-Z]{2})nax\b/i
describe ACKME_OBFDRUGS9e obfuscated drug names XXXanax or XaXXnax
score ACKME_OBFDRUGS9e 1.0

body ACKME_OBFDRUGS9f m/\bLev([_a-zA-Z]{2}i|i[_a-zA-Z]{2})tra\b/i
describe ACKME_OBFDRUGS9f obfuscated drug names LeviXXtra or LevXXitra
score ACKME_OBFDRUGS9f 1.0

meta ACKME_OBFDRUGS9 (ACKME_OBFDRUGS9a + ACKME_OBFDRUGS9b + ACKME_OBFDRUGS9c + ACKME_OBFDRUGS9d + ACKME_OBFDRUGS9e +ACKME_OBFDRUGS9f > 1)
describe ACKME_OBFDRUGS9 multiple obfuscated drug names
score ACKME_OBFDRUGS9 2.0


If I host your email, you're seeing a lot of spam at the moment. I'm aware of it and am in the process of re-architecting things to beef up the spam processing and hopefully make the problem go away once and for all. I'm waiting on hardware delivery at the moment. Should have all the kit by the start of next week.

Myself and, independently, a couple of my friends received emails off other friends telling us how to get a free £60 voucher from Sainsbury's. All you have to do is send the email on to 10 of your friends, cc'ing an email address at customerservices dot com.

Checking the customerservices.com registration details, it's someone in Indiana. There's no link to Sainsbury's. The customerservices dot com website is a junk portal page.

What I suspect is happening is that someone's started off a viral email that is harvesting real email accounts via the CC in the email.

The general rule of thumb is that if something sounds too good to be true, it usually is!