One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 207043 |
| Date de publication | 2016-10-19 04:54:24 (vue: 2016-10-19 04:54:24) |
| Titre | Spam Delivered via .ICS Files, (Tue, Oct 18th) |
| Texte | Yesterday, I received a few interesting emails in myhoneypot. I set up catch-all email addresses for domains that are well known by spammers. Im capturing emails and extracting MIME attachments for further analysis. Today, my honeypot received three ICS files. iCalendar[1]is a file format used to exchange meetinginformation between users, mainly via email or a file sharing system. Such files use the extension .ics"> Oct 18 11:27:07 marge postfix/cleanup[9842]: 444817C2519: warning: header From: OFICE FILE \ from=xxxx to=xxxx proto=ESMTP helo=xxxx The ICS file attached to the mail had a valid formatbut with some interesting characteristics. First, it was a cancellation">METHOD:CANCEL Then, many recipients (approximately 50) were added as requiredRSVP=TRUE:mailto:kiotoambiental@ig.com.brRSVP=TRUE:mailto:kirk.pearson@leg.wa.govRSVP=TRUE:mailto:kissimmeesdb@yahoo.comRSVP=TRUE:mailto:kitanamileene@bol.com.brRSVP=TRUE:mailto:kitty.hotel@hotmail.com" /> You can see that all the participants are listed. Depending on the way the user will cancel or reply to the mail, a notification could be sent to all the attendees, propagating the spam. Note that the mail was sent approximately 30 minutes (11:27 GMT+2) before the scheduled time in the meeting request (12:00 - 13:00 GMT+2). The message in itself does not contain malicious content (an ICS file contains only text) but your mail server could be used to spread the message to other attendees and affect its reputation in anti-spam lists. The meeting details could also contain a link to a malicious website. Did you also seesuch emails or do you have more information? Feel free to share! [1] http://icalendar.org/ Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Envoyé | Oui |
| Condensat | 11:27 11:27:07 12:00 13:00 18th 444817c2519: 9842 >method:cancel @xme added addresses affect all also analysis anti approximately are attached attachments attendees attribution before between brrsvp=true:mailto:kirk brrsvp=true:mailto:kitty but can cancel cancellation capturing catch center characteristics com commons comrsvp=true:mailto:kitanamileene@bol consultant contain contains content could creative delivered depending details did does domains edu email emails exchange extension extracting feel file files first format formatbut free freelance from: from=xxxx further gmt+2 govrsvp=true:mailto:kissimmeesdb@yahoo had handler have header helo=xxxx honeypot hotel@hotmail http://icalendar https://isc icalendar ics information interesting internet isc its itself key known license link listed lists mail mainly malicious many marge meeting meetinginformation mertens message mime minutes more myhoneypot noncommercial not note notification oct ofice only org/ other participants pearson@leg pgp postfix/cleanup propagating proto=esmtp received recipients reply reputation request requiredrsvp=true:mailto:kiotoambiental@ig sans scheduled security see seesuch sent server set share sharing some spam spammers spread states storm such system text then three time to=xxxx today tue united use used user users valid warning: way website well will xavier yesterday your |
| Tags | |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.