Sarah & Timothy Hansen weddingpix.zip Spam

It’s usually pretty easy to spot spam but sometimes it’s not. Case in point was today when I got an email from sarah.russell@gmail.com that sounds like she could be a long lost friend. The red flag was that it included a link to a zip file. NEVER NEVER click on a zip file unless you’re specifically expecting it!! You risk getting hacked or getting a virus or other bad things. Here’s the full content of the email:

Update: Thanks to Jerry for investigating & finding that the target included a hidden exe file. Also, Stephen reports that the real domain owner replied to his email and said his site had been hacked recently. Hopefully, we won’t see any more of this spam. 

Subject: hiiiiiiiiiiiiii
Sarah Russell [sarah.russell@gmail.com]
Sent: Friday, October 08, 2010 3:49 PM
To: Ross Jones

Hiiiiiiiiiiiiiiiii there, it’s Sarah here, it was such a long time we didn’t contact each other, how is it going with you there ? I heard that you got a new job, didn’t you? Is everything ok there ? Hey, can you believe it! I got married to Timothy ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give me your current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding :

http://www.timothyhansen.com/pictures/wedding/weddingpix.zip

Let’s keep in touch then.

Love,

Sarah & Timothy

Sorry Sarah. I don’t remember Sarah Russell & I don’t know Timothy Hansen.

I didn’t click on the link for the zip file & I don’t think you shouldn’t either. Theat website may have been hacked to have some virus attack your computer when you click the link. Spammers are getting more & more sophisticated these days. Be careful about what you click on & what you believe.

Below are the full details of the email I got:

Received: from barracuda.ctcnetworks.com (67.216.165.137) by
edison.stylenet.com (192.168.1.3) with Microsoft SMTP Server id 8.1.436.0;
Fri, 8 Oct 2010 15:50:38 -0500
X-ASG-Debug-ID: 1286571057-651498160001-ZlUuMX
Received: from mta162.anp.se (mta162.anp.se [88.131.62.162]) by
barracuda.ctcnetworks.com with ESMTP id I5a6oVf3iBhhQzTU for
<xxx@xx.com>; Fri, 08 Oct 2010 15:50:57 -0500 (CDT)
X-Barracuda-Envelope-From: 3e8.c.14430916.J5050-676353@mta162.anp.se
List-Unsubscribe: <http://www.anpdm.com/oa/676353/4345594775404A514B78434159>
X-Destination-ID: sarah.russell@gmail.com
X-MailingID: 14430916::0::0::676353::0::0
From: Sarah Russell <sarah.russell@gmail.com>
To: ross@xxx.com
Message-ID: <ACD7D1D46CA64A86B47E4DF414FB2250@gmail.com>
Date: Fri, 8 Oct 2010 22:49:59 +0200
X-ASG-Orig-Subj: hiiiiiiiiiiiiii
Subject: hiiiiiiiiiiiiii
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-8276E71F14CD4411B7215E60FC0883E2″
X-Barracuda-Connect: mta162.anp.se[88.131.62.162]
X-Barracuda-Start-Time: 1286571057
X-Barracuda-URL: http://barracuda.ctcnetworks.com:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at ctcnetworks.com
X-Barracuda-Bayes: INNOCENT GLOBAL 0.0228 1.0000 -1.8727
X-Barracuda-Spam-Score: -1.87
X-Barracuda-Spam-Status: No, SCORE=-1.87 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=3.0 KILL_LEVEL=4.5 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.43117
Rule breakdown below
pts rule name              description
—- ———————- ————————————————–
0.00 HTML_MESSAGE           BODY: HTML included in message
Return-Path: 3e8.c.14430916.J5050-676353@mta162.anp.se

Tags: spam