Weird emails with only numbers spoofed to self

am 06.06.2006 16:08:23 von egorism

Has anyone else been getting emails that only contain numbers (just 3
or 4) in the subject and body??
the weird thing is the from address is the same as the destination
address ie spoofed.
Several users at work got these messages today, and while i am sure the
users dont have a virus, its hard to convince them of that when i cant
explain the source or reason for the email.
My brother also got one today on his @froggy.com.au address.
maybe something to do with 6/6/06 but what??? mysterious

below is the message source (i have removed most of the email address
to prevent spam & inserted --)
he has AVg free antivirus which has made entries into the source

Return-Path:
Delivered-To: st--or@froggy.com.au
Received: (qmail 31103 invoked from network); 6 Jun 2006 04:14:14 -0000
Received: from unknown (HELO mail-ihug.icp-qv1-irony4.iinet.net.au)
([203.59.1.198])
(envelope-sender )
by mail.iinet.net.au (qmail-ldap-1.03) with SMTP
for ; 6 Jun 2006 04:14:14 -0000
Received: from unlabelled-131-9-58-81.versatel.net (HELO PC022.com)
([81.58.9.131])
by mail-ihug.icp-qv1-irony4.iinet.net.au with SMTP; 06 Jun 2006
12:14:02 +0800
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.05,213,1146412800";
d="scan'208,217"; a="764150894:sNHT9552910714"
Date: Tue, 06 Jun 2006 06:15:57 +0100
To: "St--or"
From: "St--or"
Subject: 557
Message-ID:
X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/356]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="=======AVGMAIL-44850468449C======="

--=======AVGMAIL-44850468449C=======
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

969

--=======AVGMAIL-44850468449C=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date:
5/06/2006

--=======AVGMAIL-44850468449C=======--

Re: Weird emails with only numbers spoofed to self

am 06.06.2006 18:44:16 von lastcall417

egorism@hotmail.com wrote:
> Has anyone else been getting emails that only contain numbers (just 3
> or 4) in the subject and body??
> the weird thing is the from address is the same as the destination
> address ie spoofed.
> Several users at work got these messages today, and while i am sure the
> users dont have a virus, its hard to convince them of that when i cant
> explain the source or reason for the email.
> My brother also got one today on his @froggy.com.au address.
> maybe something to do with 6/6/06 but what??? mysterious
>
>
>
> below is the message source (i have removed most of the email address
> to prevent spam & inserted --)
> he has AVg free antivirus which has made entries into the source
>
>
> Return-Path:
> Delivered-To: st--or@froggy.com.au
> Received: (qmail 31103 invoked from network); 6 Jun 2006 04:14:14 -0000
> Received: from unknown (HELO mail-ihug.icp-qv1-irony4.iinet.net.au)
> ([203.59.1.198])
> (envelope-sender )
> by mail.iinet.net.au (qmail-ldap-1.03) with SMTP
> for ; 6 Jun 2006 04:14:14 -0000
> Received: from unlabelled-131-9-58-81.versatel.net (HELO PC022.com)
> ([81.58.9.131])
> by mail-ihug.icp-qv1-irony4.iinet.net.au with SMTP; 06 Jun 2006
> 12:14:02 +0800
> X-BrightmailFiltered: true
> X-Brightmail-Tracker: AAAAAA==
> X-IronPort-AV: i="4.05,213,1146412800";
> d="scan'208,217"; a="764150894:sNHT9552910714"
> Date: Tue, 06 Jun 2006 06:15:57 +0100
> To: "St--or"
> From: "St--or"
> Subject: 557
> Message-ID:
> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/356]
> Mime-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="=======AVGMAIL-44850468449C======="
>
> --=======AVGMAIL-44850468449C=======
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
>
> 969
>
>

>
>
> --=======AVGMAIL-44850468449C=======
> Content-Type: text/plain; x-avg=cert; charset=us-ascii
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
> Content-Description: "AVG certification"
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date:
> 5/06/2006
>
> --=======AVGMAIL-44850468449C=======--

Re: Weird emails with only numbers spoofed to self

am 06.06.2006 18:45:41 von lastcall417

Re: Weird emails with only numbers spoofed to self

am 06.06.2006 18:54:11 von lastcall417

lastcall...@hotmail.com wrote:
> egorism@hotmail.com wrote:
> > Has anyone else been getting emails that only contain numbers (just 3
> > or 4) in the subject and body??
> > the weird thing is the from address is the same as the destination
> > address ie spoofed.
> > Several users at work got these messages today, and while i am sure the
> > users dont have a virus, its hard to convince them of that when i cant
> > explain the source or reason for the email.
> > My brother also got one today on his @froggy.com.au address.
> > maybe something to do with 6/6/06 but what??? mysterious
> >
> >
> >
> > below is the message source (i have removed most of the email address
> > to prevent spam & inserted --)
> > he has AVg free antivirus which has made entries into the source
> >
> >
> > Return-Path:
> > Delivered-To: st--or@froggy.com.au
> > Received: (qmail 31103 invoked from network); 6 Jun 2006 04:14:14 -0000
> > Received: from unknown (HELO mail-ihug.icp-qv1-irony4.iinet.net.au)
> > ([203.59.1.198])
> > (envelope-sender )
> > by mail.iinet.net.au (qmail-ldap-1.03) with SMTP
> > for ; 6 Jun 2006 04:14:14 -0000
> > Received: from unlabelled-131-9-58-81.versatel.net (HELO PC022.com)
> > ([81.58.9.131])
> > by mail-ihug.icp-qv1-irony4.iinet.net.au with SMTP; 06 Jun 2006
> > 12:14:02 +0800
> > X-BrightmailFiltered: true
> > X-Brightmail-Tracker: AAAAAA==
> > X-IronPort-AV: i="4.05,213,1146412800";
> > d="scan'208,217"; a="764150894:sNHT9552910714"
> > Date: Tue, 06 Jun 2006 06:15:57 +0100
> > To: "St--or"
> > From: "St--or"
> > Subject: 557
> > Message-ID:
> > X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/356]
> > Mime-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="=======AVGMAIL-44850468449C======="
> >
> > --=======AVGMAIL-44850468449C=======
> > Content-Type: text/html; charset=us-ascii
> > Content-Transfer-Encoding: 7bit
> >
> >
> > 969
> >
> >

> >
> >
> > --=======AVGMAIL-44850468449C=======
> > Content-Type: text/plain; x-avg=cert; charset=us-ascii
> > Content-Transfer-Encoding: quoted-printable
> > Content-Disposition: inline
> > Content-Description: "AVG certification"
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date:
> > 5/06/2006
> >
> > --=======AVGMAIL-44850468449C=======--
> I have been seeing the same thing this morning, only from 2 users in my
> organization, but hopefully someone will have an answer.
Thyat is strange also the, the body of the email containds the same 3
numbers 969.

Re: Weird emails with only numbers spoofed to self

am 06.06.2006 21:08:35 von Alec McKenzie

Re: Weird emails with only numbers spoofed to self

am 06.06.2006 21:52:15 von see-my-signature

egorism@hotmail.com wrote:
> Has anyone else been getting emails that only contain numbers (just 3
> or 4) in the subject and body??
> the weird thing is the from address is the same as the destination
> address ie spoofed.

One today - my first ever.

Subject: 57657
Body:5556
To: my-real-address@mydomain.com
To: my-real-address@mydomain.com

Not that this will convince your friends much I guess, but I am running
a Sun workstation, with an UltraSPARC processor, which is immune to any
known virus.

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

http://witm.sourceforge.net/ (Web based Mathematica frontend)

Re: Weird emails with only numbers spoofed to self

am 07.06.2006 00:17:04 von ion

me, too. One at my gmail address, one at an alumni forwarding address.
Each from the address it was to.

X-Gmail-Received: 60898ae2bb8ffb3df37c056b837d6adf3d19e4cc
Delivered-To: ...
Received: by 10.37.18.79 with SMTP id v79cs52278nzi;
Tue, 6 Jun 2006 15:00:43 -0700 (PDT)
Received: by 10.54.132.11 with SMTP id f11mr16363wrd;
Tue, 06 Jun 2006 15:00:43 -0700 (PDT)
Return-Path: <...>
Received: from YINHSIAO.net (218-167-139-221.dynamic.hinet.net
[218.167.139.221])
by mx.gmail.com with SMTP id 44si984657wri.2006.06.06.15.00.42;
Tue, 06 Jun 2006 15:00:43 -0700 (PDT)
Received-SPF: neutral (gmail.com: 218.167.139.221 is neither permitted
nor denied by domain of ...)
Date: Wed, 07 Jun 2006 05:59:58 +0800
To: ...
From: ...
Subject: 57657
Message-ID:
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

5556

and

X-Apparently-To: ... via 68.142.207.70; Tue, 06 Jun 2006 14:54:17
-0700
X-Originating-IP: [18.7.25.81]
Return-Path: <...>
Authentication-Results: mta226.mail.re2.yahoo.com from=sloan.mit.edu;
domainkeys=neutral (no sig)
Received: from 18.7.25.81 (EHLO sloan-mail.mit.edu) (18.7.25.81) by
mta226.mail.re2.yahoo.com with SMTP; Tue, 06 Jun 2006 14:54:16 -0700
Received: from carlos-vsdwzb97.com
(89.Red-83-39-147.dynamicIP.rima-tde.net [83.39.147.89]) by
sloan-mail.mit.edu (Switch-3.1.8/Switch-3.1.0) with SMTP id
k56LrlL6000787 for <...>; Tue, 6 Jun 2006 17:53:48 -0400 (EDT)
Date: Tue, 06 Jun 2006 23:53:21 +0100
To: ...
From: ... Add to Address BookAdd to Address Book Add Mobile Alert
Subject: 57657
Message-ID:
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Sloan-MailScanner: Found to be clean
Content-Length: 41
5556

Dave (from the UK) wrote:
> egorism@hotmail.com wrote:
> > Has anyone else been getting emails that only contain numbers (just 3
> > or 4) in the subject and body??
> > the weird thing is the from address is the same as the destination
> > address ie spoofed.
>
>
> One today - my first ever.
>
> Subject: 57657
> Body:5556
> To: my-real-address@mydomain.com
> To: my-real-address@mydomain.com
>
>
> Not that this will convince your friends much I guess, but I am running
> a Sun workstation, with an UltraSPARC processor, which is immune to any
> known virus.
>
> --
> Dave K MCSE.
>
> MCSE = Minefield Consultant and Solitaire Expert.
>
> Please note my email address changes periodically to avoid spam.
> It is always of the form: month-year@domain. Hitting reply will work
> for a couple of months only. Later set it manually.
>
> http://witm.sourceforge.net/ (Web based Mathematica frontend)

Re: Weird emails with only numbers spoofed to self

am 07.06.2006 09:20:32 von egorism

another user received one today.
anyone else??

Re: Weird emails with only numbers spoofed to self

am 07.06.2006 10:56:01 von lassi.hippelainen

egorism@hotmail.com wrote:
> another user received one today.
> anyone else??

"Number spam" appears also in the blogosphere.
http://www.boingboing.net/2006/05/30/reader_feedback_on_b.ht ml

-- Lassi

Re: Weird emails with only numbers spoofed to self

am 07.06.2006 12:06:54 von Ludovic Joly

How strange...

Maybe that is 1337 speak?
5 = s
6 = G
7 = t
9 = g

Of course, it is necessary to keep in mind that 666 is - as everyone
knows - the number of the beast.

Also, 668 is the neighbour of the beast...

Re: Weird emails with only numbers spoofed to self

am 07.06.2006 14:28:16 von egorism

I am more intrigued than worried, while doing some reading I discovered
that blogs were getting similar but slightly different posts.

EG
I got this post from Betsy Markum on one of my web pages recently:

I can't believe it, my co-worker just bought a car for $70815.
Isn't that crazy

one person commented on
http://peterkaminski.com/2005/11/fivedigit_blog_spam.html

"I speculate that there is some kind of exploit in some kinds of blog
comment software that's vulnerable to some sort of hidden data in the
POST sent them. To mitigate suspicion from failed exploits (ie
successful comments) the worm generates reasonable text."

And it got me thinking, maybe a worm has been trying exploits on mail
servers and is posting reasonable text/mail as a means of disguising
its efforts, unsure of where it has got the email addresses from
though, although it could have got them from an infected computer
already.

What do you guys think of that theory???
G-man

Re: Weird emails with only numbers spoofed to self

am 07.06.2006 21:46:15 von ibuprofin

On 7 Jun 2006, in the Usenet newsgroup comp.security.misc, in article
<1149674814.234767.250320@f6g2000cwb.googlegroups.com>, Ludovic Joly wrote:

>Of course, it is necessary to keep in mind that 666 is - as everyone
>knows - the number of the beast.
>
>Also, 668 is the neighbour of the beast...

But did you know that:
$665.95 - Retail price of the Beast
$699.25 - Price of the Beast plus 5% sales tax
$769.95 - Price of the Beast with all accessories and
replacement soul
$656.66 - Walmart price of the Beast
6, uh... what
was that number
again? - Number of the Blonde Beast
00666 - Zip code of the Beast
1-900-666-0666 - Live Beasts! One-on-one pacts! Call Now!
Only $6.66/minute. Over 18 only please.
Route 666 - Highway of the Beast
666 F - Oven temperature for roast Beast
666k - Retirement plan of the Beast
6.66 % - 5 year CD interest rate at First Beast National
Bank, $666 minimum deposit.
i66686 - CPU of the Beast
666i - BMW of the Beast
626 - Mazda of the Beast
DSM-666 - Diagnostic and Statistical Manual of the Beast
658 - Belongs to the same Neighborhood Association as the Beast

Old guy

Re: Weird emails with only numbers spoofed to self

am 08.06.2006 05:07:49 von egorism

It may be very likely that 6/6/2006 was the timebomb date for this worm
to start exploit testing.
The worm writer believing 666 to have significance.
Comments please.
Greg

Re: Weird emails with only numbers spoofed to self

am 08.06.2006 20:28:52 von lastcall417

egorism@hotmail.com wrote:
> It may be very likely that 6/6/2006 was the timebomb date for this worm
> to start exploit testing.
> The worm writer believing 666 to have significance.
> Comments please.
> Greg

http://www.techweb.com/showArticle.jhtml?articleID=188702929

Re: Weird emails with only numbers spoofed to self

am 08.06.2006 20:31:32 von lastcall417

lastcall...@hotmail.com wrote:
> egorism@hotmail.com wrote:
> > It may be very likely that 6/6/2006 was the timebomb date for this worm
> > to start exploit testing.
> > The worm writer believing 666 to have significance.
> > Comments please.
> > Greg
>
>
>
> http://www.techweb.com/showArticle.jhtml?articleID=188702929

Re: Weird emails with only numbers spoofed to self

am 08.06.2006 20:32:34 von lastcall417

Re: Weird emails with only numbers spoofed to self

am 09.06.2006 15:35:50 von egorism

> Read This:
> http://www.techweb.com/showArticle.jhtml?articleID=188702929

Cheers to last call4 alcohol... ill have a double beam and cola. TGIF

i was able to email our staff with a fairly convincing reason for this
spam and i took the opportunity to warn them about the possible future
spam/malware/phishing attempts.

I also advised them to be careful and do not follow links from emails
to their online accounts... for anti phishing reasons..

Good for me to appear to be looking out for them.

big thumbs up bro.

Greg

Re: Weird emails with only numbers spoofed to self

am 09.06.2006 16:14:44 von lastcall417

egorism@hotmail.com wrote:
> > Read This:
> > http://www.techweb.com/showArticle.jhtml?articleID=188702929
>
> Cheers to last call4 alcohol... ill have a double beam and cola. TGIF
>
> i was able to email our staff with a fairly convincing reason for this
> spam and i took the opportunity to warn them about the possible future
> spam/malware/phishing attempts.
>
> I also advised them to be careful and do not follow links from emails
> to their online accounts... for anti phishing reasons..
>
> Good for me to appear to be looking out for them.
>
> big thumbs up bro.
>
> Greg

Good I hope it helped everyone. Have an awesome Friday