Someday they will learn not to use all caps
by Volker Weber
Received: from [24.244.142.151] (helo=vowe.de)
by mxeu1.kundenserver.de with ESMTP (Nemesis),
id 0MKpV6-1Co5vM2ItV-0001Gk; Mon, 10 Jan 2005 21:14:00 +0100
From: "Returned mail"
To: vowe@vowe.de
Subject: DELIVERY REPORTS ABOUT YOUR E-MAIL
Date: Mon, 10 Jan 2005 15:06:11 -0500
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <0MKpV6-1Co5vM2ItV-0001Gk@mxeu1.kundenserver.de>
X-SpamScore: 0.550
tests= SUBJ_ALL_CAPS
X-RegEx-Score: 441.2
X-RegEx-Warning: suspect (441.2 > 430.0)
X-RegEx: [121.7] FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0014_92574875.655D0E85"
------=_NextPart_000_0014_92574875.655D0E85
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
------=_NextPart_000_0014_92574875.655D0E85
Content-Type: application/octet-stream;
name="readme.zip"
Content-Disposition: attachment;
filename="readme.zip"
Content-Transfer-Encoding: base64
UEsDBAoAAAAAAMWgKjIAKfKawHAAAMBwAAAKAAAAcmVhZG1lLnNjck1akAADAAAABAAAAP//AAC4
AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgAAAAOH7oOALQJzSG4
AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAAAAA
A readme.zip file coming in from 24.244.142.151 which pretends to be from vowe.de, where 24.244.142.151 belongs to CABLEBAHAMAS-NET (24.244.128.0/18) according to whois.arin.net. No body text, but an attachment of 28 kByte. Do I want to know what is in this readme.zip?
Better not.
Comments
That would be Netsky.P
