Don't know how widespread this is, but saw it filter in through some interesting equipment we have here...At the very least, it is a good example of how to spot fake email:
The last line should be reason prima one that you know this email is fake. The serverCode:HELO <filtered> 220 ***02************************************************************** MAIL FROM:<[email protected]> 250 <filtered> G'day [24.102.166.188]! Why do you call yourself <filtered>?
response of 'Why do you call yourself' (note it could also happen if it fails to do a reverse).
Also note that the email purports to be be from [email protected], and that 24.102.166.188 isn't anywhere near the McAfee domain...
Actually it is ::
CustName: Rogers Cable Inc. MTMC
Address: 1 Mount Pleasant Road
City: Toronto
StateProv: ON
The last thing to be worried about is the nice little .com attachment...Code:RCPT TO:<filteredl> 250 sender <[email protected]> OK DATA 250 recipient <filtered> OK From: McAfee Inc.<[email protected]> To: Filtered Subject: Patch for Elkern.gen Date: Tue,17 Jun 2003 13:25:08 PM X-Mailer: Microsoft Outlook Express 5.50.4133.2400 MIME-Version: 1.0 Content-Type:multipart/mixed; boundary=#r0xx# --#r0xx# Content-Type: text/html charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY> <FONT></FONT> Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC</BODY></HTML> --#r0xx# Content-Type: application/octet-stream; name=FixElkern.com Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="FixElkern.com"
Pretty poor job at a little social engineering, but I am sure that person will find plenty of stupid people to run it for them...
/nebulus
Reply With Quote