automated social engineering at it's best (maybe?)

[Tim.Keller at stratus.com (Keller, Tim)]

I can confirm that this is indeed a very widely aimed social engineering
trick.  However, whoever sent it to me must have been a bit less crafty
because mine came from "duncan at otnews.net".

Needless to say, it's a bit like seeing the harness under the spiderman
suit, the illusion is lost and it stops looking convincing and starts
looking like a cheap trick.

Happy hunting.
Tim.

--- Snip ---
Dear user tim.keller at stratus.com, administration of stratus.com would like
to inform you that:

We have detected that your email account has been used to send a large
amount of spam messages during this week.
We suspect that your computer had been compromised and now runs a trojaned
proxy server.

Please follow the instructions in order to keep your computer safe.

Sincerely yours,
stratus.com user support team.
-- End Snip ---


-----Original Message-----
From: Derek Martin [mailto:invalid at pizzashack.org]
Sent: Tuesday, July 27, 2004 1:07 PM
To: discuss at blu.org; discuss at gnhlug.org
Subject: automated social engineering at it's best (maybe?)


Dear Abby,

> Dear user blu at sophic.org,

What, an ISP can't figure out who's attached to one of their e-mail
addresses and name them by name?  Should I be suspicious?

> Your account has been used to send a huge amount of spam during this
> week. 

Really?  Fascinating...

    $ telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 thoth.sophic.org ESMTP Sendmail 8.12.8/8.12.8; Tue, 27 Jul
    2004 12:42:17 -0400
    helo me
    250 thoth.sophic.org Hello localhost [127.0.0.1], pleased to meet
    you
    mail from: invalid at pizzashack.org
    250 2.1.0 invalid at pizzashack.org... Sender ok
    rcpt to: blu at sophic.org
    550 5.1.1 blu at sophic.org... User unknown

On second thought, I really don't think so.

> Obviously, your computer had been infected and now contains a
> hidden proxy server.

Obviously, this e-mail is itself a virus.

> Please follow instruction in order to keep your computer safe.

Not likely.

> Best regards,
> sophic.org technical support team.

Right.  Oh, wait; that would be me, and I didn't send this e-mail.

So, anyone have any good procmail recipies for this bogosity?  I'm still
getting basically no spam, but what can you do when your friends don't
know how to take care of their PCs?  I think I got about a hundred
copies of this (or one of a few similar ones) in the last 3 days.
Sigh...

There's one with a total message size of ~39-40k.  There's another
with a message size of ~170k.  Recipies for these (or any other
annoyance virus) will be appreciated.

NOTE:  The address mentioned in this e-mail is one which I used only
to post to BLU, about 2 years ago or so (longer, I think actually).
So (in this case, at least) this virus is probably coming to me by way
of the infected PC of a (possibly former) BLU member.  

If you're cluless or lazy about keeping your PC in good health, you
might want to save your freinds' inboxes and check out some of the
links below...

All the security fixes that Microsoft has finally gotten around to
fixing in their spare time (it must be the right link, it comes up
completely blank in Mozilla):

  http://windowsupdate.microsoft.com/

Good free personal firewall software:

  http://www.zonelabs.com/

Good free (for personal use) Anti-virus software:

  http://www.free-av.com/

Thank you,
Annoyed In SK
  
[There was meant to be some humor in this message, albeit sarcastic.
If you didn't see it, try harder next time...  ;-)]

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result
in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.