TZUTC: -0800
MSGID: 268.fido-internet@1:153/757.2 24a3b293
REPLY: 266.fido-internet@1:153/757.2 24a3a365
PID: Synchronet 3.18c-Linux master/82b995587 Feb 28 2021 GCC 10.2.0
TID: SBBSecho 3.13-Linux master/82b995587 Feb 28 2021 GCC 10.2.0
BBSID: TRMB
CHRS: ASCII 1
> A new one. I've never seen a .PLS used as bait.
> https://photos.kolico.ca/tmp/dhl.jpg
> https://photos.kolico.ca/tmp/dhl-1.jpg
Another interesting thing about that one. Although the .pls file registers as
59B in the mail header, the actual file is 0B.
Looking at the raw message:
X-EN-OrigIP: 192.163.245.86
Received: from crystalnet by host.anmoul.net.in with local (Exim 4.93)
(envelope-from )
id 1lH1yz-00038T-AP
for books@ashlies.ca; Tue, 02 Mar 2021 10:10:25 +0000
To: books@ashlies.ca
Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZvcm1zIHlvdSB0aGF0IHlvdXIgc2hpcG1lbnQg
TsKwIDk0MzAyNDU5Njg1IGlzIHN0aWxsIHBlbmRpbmcgIQ==?=
X-PHP-Script: crystal.net.in/mat/metoo.php for 20.52.179.36
^^^^^^^^^
From: =?UTF-8?B?REhMIEVYUFJFU1M=?=
Message-Id:
Looks like this is sneaky attempt to launch a remote .php file.
I also did not realize that the header contents could be obfuscated with UTF-8
prefixes:
Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZ...
Buggers.
--- SBBSecho 3.13-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)
SEEN-BY: 1/123 90/1 103/705 105/81 106/127 120/340 123/131 124/5016
SEEN-BY: 129/305 153/105 135 757 802 6809 154/10 203/0 221/1 6 360
SEEN-BY: 226/30 227/114 702 229/101 424 426 452 550 664 1016 1017
SEEN-BY: 240/5138 5411 5824 5832 5853 249/206 317 400 280/464 5003
SEEN-BY: 282/1038 288/100 292/854 8125 310/31 317/3 320/219 322/757
SEEN-BY: 335/364 342/200 396/45 423/81 120 712/848 770/1 2432/390
SEEN-BY: 2452/250 2454/119 3634/12 4500/1
PATH: 153/757 221/6 1 280/464 240/5832 229/426
|
