In previous posts on
web application email harvesting, and the
distributed email harvesting honeypot, I commented on a relatively less popular threat - the foundation for sending spam and phishing emails, namely collecting publicly available email addresses. The other day I came across an email harvester and decided to comment on its configuration file.
Type of file extensions to look in :
TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls;
cms;csv;ctl;dbx;dhtm;dsp;
dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx;
mda;mdb;mde;mdw;
mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt;
pst;rtf;slk;sln;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;htt;js;
asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl;
shtml;vbs;xhtml;xls;xml;xml;wsh;
Domains to look in :
TargetDomain=ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl;nz;am;tv;
As you can see, this one is Europe centric.
Blacklisted usernames and domains :
BlackList=root;info;samples;postmaster;webmaster;noone;nobody;
nothing;anyone;someone;your;you;me;bugs;
rating;site;contact;soft;somebody;privacy;service;help;submit;feste;
gold-certs;the.bat;page;admin;support;ntivi;unix;bsd;linux;listserv;certific;
google;accoun;spm;spam;www;secur;abuse;
.mil;.ftn;@hotmail;@msn;@microsoft;rating@;
f-secur;news;update;.gov;@fido;anyone@;bugs@;contract@;feste;gold-certs@;help@;info@;nobody@;noone@;
kasp;
sopho;@foo;
@iana;free-av;@
messagelab;winzip;winrar;samples;abuse;
panda;
cafee;
spam;pgp;@avp.;noreply;local;root@;postmaster@;
.fidonet;subscribe;faq;@mtu;.mtu;.mgn;.plesk;.sbor;.port;.hoster;
@novgorod;@quarta;.nsk;.talk;.tomsknet;
@suct;.lan;.uni-bielefeld;@ruddy;.msk;@individual;.interdon;
@php;@zend; feedback;.lg;.lnx;@hostel;@relay;
.neolocation; @example;.kirov;.z2;.fido;.tula;
@intercom;@olli;@ozon; @bk;@lipetsk;@ygh;
.eltex;.invention;.intech;@cityline;.kiev;@4ax;
.senergy;@mail.gmail;@butovo;
F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consideration, but the best part is that the vendors themselves are visionary enought not to be using domains or email addresses associated with them, for spam and malware traps.
Thankfully, there're many spam poison projects where these crawlers get directed to a huge number of randomly generated email addresses. And while the results are evident, namely they're picking them up and poisoning their databases with non-existent emails it is questionable if that's the best way to fight spam, since the spammers are going to send their message to anyone, even to the non-existent email addresses causing network load. Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] type of obfuscation too.
Here are some more
comments on the Spamonomics I recently made. Spammer's attitude has to do with "Busyness vs Business" factor of productivity mostly, their business model is broken, but they just keep on sending them without knowing it.
Continue reading →
Very interesting idea as packed malware is something rather common these days, and as we've seen the recent use of commercial packers in the "skype trojan" malware authors are definitely aware of the concept. What the authors did was to pack the following malware using 21 different packers/software protectors - Backdoor.Win32.BO_Installer, Email-Worm.Win32.Bagle, Email-Worm.Win32.Menger, Email-Worm.Win32.Naked, Email-Worm.Win32.Swen, Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, Trojan-Clicker.Win32.Getfound, and scan them with various anti virus software to measure which ones excel at detecting packed malware. What some vendors are best at detecting others doesn't have a clue about, but the more data to back up your personal experience, the better for your decision-making.
Continue reading →
Eye-catching streaming video
RSS Feed