D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Rubbish emails

 

It's a common practice with Windows executables ever since Microsoft made the default behaviour to hide file extensions. It's much easier to overlook a pdf extension than an exe for example. When I install Windows the first thing I do is tell I to show all file extensions so it's obvious when one has two.

Kind regards,

Julian

On 27/11/13 14:25, John Allsup wrote:
Hi,

(I'm new to this list BTW.)

Got one myself. I'm generally curious, so save the file and use command line utils to inspect them.

It contains one file:

DHL_id_report_645436435643548574876586556434232346465657865868565456436434535434546754545634636465987686567575465434354235323454658768756865674564364364364346.pdf.exe:

which is a (according to the file command):

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

The basic trick is to use the long filename to hide the extension, and I suspect that it's builtin icon is a PDF file.

http://nakedsecurity.sophos.com/2013/03/20/dhl-delivery-malware/

is a short article about it. Suffice to say that the picture there indicates a bad practice with email software: opening images in an HTML file that are from web addresses and the sender is untrusted. (Essentially, if I send you an HTML email that contains an <img href='http://myserver.com/img?ajf80202h02he08h2'> entry, access to this http address can be logged and used as confirmation that the email has been opened. It is a tried and trusted way of spamming long lists of potential email addresses and seeing which ones are likely active.

The DHL mail I received contained no images BTW.

Anyway, that's what I can make of it, and I'm not letting that Zip file near my Windoze laptop.

All the best,

John



On 22/11/2013 13:12, Neil Winchurst wrote:
I am used to receiving scam emails, though not many. Just today I have had two identical ones, supposedly from DHL. This tells me that they tried to deliver a parcel at 10.10 last Wednesday, but no one was in. As it happens we *were* in.

Then it goes on to say that if it is not picked up within 72 hours it will be returned to sender. It even includes a label number. Then, and here's the best bit, I am invited to read an enclosed file for details. Would you believe the said 'enclosed file', actually an attachment, is a zip file?

Now the email address used is one I rarely use at all. I have never given this email address to DHL, or to anyone else for that matter. And, if I fell for all that, would DHL send a *zip* file to give me some simple details about a parcel? LOL.

So what has this to do with Linux? Well, I assume that, if I were silly enough to click on the attachment, any nasties would fail to run because I am not using Windows. Is that a fair assumption?

Thanks

Neil





--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq