Re: [Evolution] Mail Delivery (failure evolution ximian com)



On Sun, 2004-05-16 at 22:06 +0100, James Ascroft-Leigh wrote:
On Sun, 2004-05-16 at 08:47 -0500, Ron Johnson wrote:
On Sun, 2004-05-16 at 13:30 +0100, James Ascroft-Leigh wrote:
On Sat, 2004-05-15 at 20:15 -0500, Ron Johnson wrote:
On Sun, 2004-05-16 at 00:25 +0100, James Ascroft-Leigh wrote:
All,

On Fri, 2004-05-14 at 09:57 +0900, fejj ximian com wrote:
If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.ximian.com/inbox/evolution/read.php?sessionid-8463 
 

I am using the 1.5.7 build from Debian unstable + experimental.  The
[snip]

Did you get this email privately, or via the ML?  This reminds me of
the social engineering I've seen on some recent viruses.

It appeared to come from the evolution mailing list but, of course, that
may be forged.  Another likely explanation is that some virus scanner
quarantined it.

That's what the social engineer wants you to think.  Do a "Show
Email Source" on the original mail, and I bet that the ximian.com
"link" is really a phony, that runs a virus, or sends you to a
different website.

I have looked at the source and I know the link points to a mime part
with the mime type audio/x-wav but the name indicates a Microsoft
Windows screen-saver (message.scr).

What worries me is that this message is:

      * Not displayed as having an attachment (no paper-clip icon) in
        Evolution.
      * Causes Evolution to crash.

               If other people have not seen it I can obfuscate the
message to get it around the scanners and repost.

You obviously have not seen the message I am referring to so I have
attached it.

I must have been ambiguous when I said "This reminds me of the 
social engineering I've seen on some recent viruses."

The reason I've seen them is because I've received them.  That's
how I know it's good (but not good enough!) social engineering....

And it didn't crash my Evo because I was suspicious, and first 
looked at the email source.  Then deleted it...

             The file is obfuscated by combining the original email
source as one stream and an infinite stream of "guessmeguessme" with a
bit-by-bit exclusive or operation.  I am not to blame if somebody
manages to infect themselves.  Microsoft Windows users beware - THE
ATTACHMENT CONTAINS A VIRUS.
-- 
Ron Johnson <ron l johnson cox net>




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]