Nigeria Still Spamming?

Here is another, yet very recent sample of the Nigerian Spam.
Sample Body:

With great pleasure I Mr. Ibram Lewis, working with a bank
here in Nigeria as aManager. I am writing you in respect of a foreign customer (an Oil consultant/contractor with our National Oil & Liquidified Gas Sector) whom made a US$25M depository for an investment program that has remained dormant for years now. Hence, I have decided to contact you due to the urgency of this transaction.

Here is the partial header of the mail:

Received: (qmail 12206 invoked by uid 89); 21 Oct 2006 17:02:12 -0000 Received: by simscan 1.2.0 ppid: 12201, pid: 12203, t: 0.3065s scanners: attach: 1.2.0 clamav: 0.88.5/m:40/d:2061 Received: from unknown (HELO mail.varsitytransport.com) (206.126.20.217) by 0 with (DHE-RSA-AES256-SHA encrypted) SMTP; 21 Oct 2006 17:02:11 -0000 Received-SPF: none (0: domain at varsitytransport.com does not designate permitted sender hosts) Received: from localhost ([192.168.0.198]) by mail.varsitytransport.com (Merak 8.5.0-6) with SMTP id ZAC50844; Sat, 21 Oct 2006 09:59:44 -0700 Date: Sat, 21 Oct 2006 09:59:27 -0700 From: "Mr. Ibram Lewis" Reply-To: iblewis01@yahoo.com.hk Subject: LETTER Message-ID: <079ba2b4e77811418a0eea3b89eeb4ed@varsitytransport.com> X-Mailer: IceWarp Web Mail 5.6.6 X-Originating-IP: 196.3.63.252 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit

The mail was received here from a mail server at IP address 206.126.20.217 which provided transport from a private IP address 192.168.0.198. Our server logs indicate the reporting ip as 206.126.20.217
Important to note: the header indicates the use of a Merak ver. 8.5.0-6 mail server using teh IceWarp 5.6.6 webmail interface.

Merak email server software runs on Windows 2K3/2K/XP/NT/9x and supports SMTP/POP3/IMAP4/HTTP/LDAP/Jabber Internet protocols.

There is a security advisory with Merak mailer which could lead to it’s use as a spam originator, among other things including relinquishing full control to the attacker.

With that said, I believe this server has been compromised (Windows – go figure).

The mailserver is on a network in Walla Walla, Washington. The registrants of the network are listed to be in Orlando Florida.

SQL Code: Delete from world where emailadmins ‘Do not know how to set up email servers’

Best Regards

This entry was posted on Saturday, October 21st, 2006 and is filed under General Opinion. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

My Hot Spots

How I See Things – Just Sayin'

Nigeria Still Spamming?

No comments yet.

Keep this in Mind

Archives

Errata

Tags

Recent Comments

Meta