Educause Security Discussion
mailing list archives
Re: "postcard" spams.
From: Theresa Semmens <theresa.semmens () NDSU EDU>
Date: Tue, 3 Jul 2007 13:03:06 -0500
I'm seeing you have received a "BlueMountain.com greeting from a colleague"
Theresa Semmens, CISA
NDSU IT Security Officer
PO Box 5164
North Dakota State University
Theresa.Semmens () ndsu edu
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." Thomas Edison
From: Matthew Gracie [mailto:graciem () CANISIUS EDU]
Sent: Tuesday, July 03, 2007 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "postcard" spams.
We've been receiving a whole host of "You have received a postcard!"
spam, with malware website links embedded in it.
For details, see: http://isc.sans.org/diary.html?storyid=3063
I haven't had a whole lot of luck finding information on the method of
propagation on this, but it seems to do all of its initial setup from a
source UDP port of 26395. At least, that's my observation from a
deliberately infected machine and a packet sniffer.
Does this jibe with other people's observation of this? The ecard.exe I
downloaded from one of the emails has a different MD5 than listed in the
SANS article, so I fear there might be copycats and variants out there
Matt Gracie (716) 888-2403
Information Security Administrator graciem () canisius edu
Canisius College ITS 425531N / 0785109W