Just a heads-up: I know people on this board are sensible about emails from an unknown source...


I've just had a number of rather odd emails sent from the message board entitled "The style looks like a sort of cross between PowerPuff Girls amd MLP.". I know they have come via the board as - in addition to the subject - the email in question is a single-purpose email.

They alledgedly - since the headers could be - come from someone called Heena , and contain some form of attachemnt which I couldn't readily identify (and I wasn't stupid enough to open the emails...). I recieved 8 copies of the message within about 2 minutes.

Looking at a quick google search the evidence is that this is a spammer rather than a malware merchant...




Jason - if it is any help to you, the mail headers are as below:


From - Tue Aug 06 19:26:55 2013
X-Account-Key: account1
X-UIDL: 1047
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: from smtp.demon.co.uk (192.168.70.14) by HVUT01.thus.corp
(192.168.70.41) with Microsoft SMTP Server (TLS) id 14.3.146.0; Mon, 5 Aug
2013 22:18:43 +0100
Received: from mdfmta001.tbr.inty.net (unknown [127.0.0.1])    by
mdfmta001.tbr.inty.net (Postfix) with ESMTP id A1F886A4073    for
; Mon, 5 Aug 2013 22:18:43 +0100 (BST)
Received: from mdfmta001.tbr.inty.net (unknown [127.0.0.1])    by
mdfmta001.tbr.inty.net (Postfix) with ESMTP id 875B36A4075    for
; Mon, 5 Aug 2013 22:18:43 +0100 (BST)
Received: from mdfmta001.tbr.inty.net (unknown [127.0.0.1])    by
mdfmta001.tbr.inty.net (Postfix) with ESMTP id 6B0FB6A4073    for
; Mon, 5 Aug 2013 22:18:43 +0100 (BST)
Received: from ps43185.dreamhostps.com (unknown [208.113.180.8])    by
mdfmta001.tbr.inty.net (Postfix) with ESMTP    for
; Mon, 5 Aug 2013 22:18:43 +0100 (BST)
Received: by ps43185.dreamhostps.com (Postfix, from userid 11955404)    id
873283295CDC50; Mon, 5 Aug 2013 14:18:40 -0700 (PDT)
To:
Subject: Re: "The style looks like a sort of cross between PowerPuff Girls amd MLP." posted to Tales of the Parodyverse
From: Heena
Reply-To: Heena
Content-Type: multipart/mixed; boundary="==2a41ab0153eac4994178f5a829739c45"
Content-Transfer-Encoding: 8bit
X-Mailer: On Topic Mail Exchange v2.6
X-Origin-Ip: [8.35.201.117]
X-Request-URI: /app/pm.php
Message-ID:
Date: Mon, 5 Aug 2013 14:18:40 -0700
X-MDF-HostID: 2
X-MDF-HostID: 2
Return-Path: null@mangacool.com
X-MS-Exchange-Organization-AuthSource: HVUT01.thus.corp
X-MS-Exchange-Organization-AuthAs: Anonymous
MIME-Version: 1.0

--==2a41ab0153eac4994178f5a829739c45
Content-Disposition: inline
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit

(HTML bit with lots of Chinese characters redacted...)

--==2a41ab0153eac4994178f5a829739c45--

I got two of those also. It looks like someone's experimenting with creating a bot that Private Messages every username on the board. Fortunately the board's tech makes sure their attempts are highly filtered.





The "attachment" is because your mailer is not handling UTF-8 Chinese correctly. The Private Message form does not allow attachments (for good reason). They can try to cram an encoded attachment in, but it will arrive at the destination mangled to uselessness.





I'm looking at creative ways to block them without requiring an account for sending PM's.

I suspected it would be that rather than the software itself being hacked.




I'm not sure if that is a win for Thunderbird or not...





Tactical Nuke?