Dangerous Malware found in Spam file: Note that this is a malware attack that is triggered when you click on the Attached zip file. Never open a file unless you are sure of the source. Note that normally government agencies are “.gov” the postoffice is usps.com is a valid email address. However if you go to http://www.usps.com/ you will be warned that there is a malware email in circulation. See Red Banner at top of page. Click the “more” at the end of the warning and you are sent to https://postalinspectors.uspis.gov/radDocs/consumer/SpamAlert.pdf This will yield the following message. BEWARE OF SPAM! BOGUS DELIVERY MESSAGES E-MAILED TO POSTAL CUSTOMERS Some postal customers are receiving bogus e-mails about a package delivery. The e-mails contain a link that, when opened, installs a malicious virus that can steal personal information from your PC. The e-mails claim to be from the U.S. Postal Service and contain fraudulent information about an attempted or intercepted package delivery. You are instructed to click on a link to find out when you can expect your delivery. But Postal Inspectors warn: Do not click on the link! Like most viruses sent by e-mail, clicking on the link will activate a virus that can steal information—such as your user name, password, and financial account information. What to do? Simply delete the message without taking any further action. The Postal Inspection Since I did not send any email and the post office does not have my email address I can be fairly sure it is dangerous. It was also flagged in my email account as SPAM. Original email: USPS Delivery Failure Notification Sunday, November 20, 2011 7:30 AM "United States Postal Service" <info@usps.com> Add sender to Contacts From: To: donnabaltz@yahoo.com, dr_krolak@yahoo.com, dollybelle1961@yahoo.com, dorasuarez123@yahoo.com, drnaveensharma_sharma@yahoo.com, dody_dody30@yahoo.com, douglas_annakay@yahoo.com, dolphyn_72@yahoo.com, dooley.eric@yahoo.com, drdilekbasaran@yahoo.com, dunbrooke2000@yahoo.com, dreamsareal2000@yahoo.com, doodlebutt129@yahoo.com, dtbays@yahoo.com, eightersplay7@yahoo.com, dot52b@yahoo.com, dork1993@yahoo.com, dominic.woodfork@yahoo.com, dorijean3@yahoo.com, droopmillenium@yahoo.com, dominque.dixon@yahoo.com... more Message contains attachments 1 File (27KB) (Image is linked to a zip file deleted as it holds the malware that will be triggered if you click on it. Hello! Unfortunately we failed to deliver the postal package you have sent on the 12th of November in time because the recipient's address is erroneous. Please print out the shipment label attached and collect the package at our office. United States Postal Service Email with Expanded Heading, i.e. Where was it sent from: USPS Delivery Failure Notification Sunday, November 20, 2011 7:30 AM From United States Postal Service Sun Nov 20 04:30:10 2011 X-Apparently-To: dr_krolak@yahoo.com via 98.139.214.223; Sun, 20 Nov 2011 05:36:36 0800 Return-Path: info@usps.com ADDRESS OF Return Email is legitimate But that is not the problem the Attachment holds the malware. XYahooFilteredBulk: 77.82.106.156 Received-SPF: softfail (transitioning domain of usps.com does not designate 77.82.106.156 as permitted sender) X-YMailISG: 4SFxeNYWLDsNfhXix2yAOIqgNw.BqeJRUNrOTbBcJgbyjmle fubH3zh.EUaMnIv.Mx4xiUEFQdwMVRO6SkU_tF1_X8iABGY85oE_T WR3SJjl CkRZgDTdzhn7FW.wfBljwWzcJ43vsZLbhXCok26qg1GswxkYeXKepn 7dQjuX 5MmH4cNgDgpWsa3qQXLm0W3iaVov8tDi7ZrtRdyoE9yILmSGlOhcZ ZrXb0f8 EdtHFk.sZxGpeeBh.xPOLrnibTkmZW5MkwJrfSGX8AnLhoN1U2_L8g EfFwLL tD3bFOjmg3GtUkn60nUp0d7qKdTZ5UHYotZCGIQO7WTZ8G0XT0Hl sG81iVs1 K6000WR5eJOMM1CsIJjSyCHiGnvxi.Ukx_t7r_XbFo8_NBENRbyeTlir GFAk KRVnuWNH10yCky3yX.osMl6smWOUo5J.z5W6z7WlwdIJRKDqEPuq icIdZpTB RM_gpDoo3qLw3H6wwfd0tL5plNJSAdT_NNWxF1Gmfn9cm87nzjdC GqyGNHpa BiwbqrpLQj3gViBiMhuln8bOq2ER_EvRmveN6JseH16zpRnW2GsfRjl Gx0l4 02MthUW3tSON9byAdNwg6UJuXUti82QfGFIzIGftMlZ4joo52VP1DB WhXjoM FIAsl8T3HChXEH2m3eQDCr4Z2Yk37gZVoPu.vgAzAYJEX5e6wG_9t uz61f34 oZh1ZMMureTHScgd7r2jvQOqjA4w09JEh5RUpA9CMCqrBx2Yug7xr RdaKHCl GyWTePVf7DSIjHSMfX39H8gNohuqv74Sj.haVf7lr3vx7ps.f.BGtN2K5 YBr Wazum.B1kF5OINK2H3LXVynpstMJ66We5HWTSRTm91rzzYe8pqQ hjPjEs59L y.BcCpsdEz8WaiBjVKHH4y.cU9KhMEu3lWf1BFBiHEENdKaceN9sF Ts3KkdC IkDe_.Ra5HOo9b7loAcfWzislp6XM60zaTUZvrN1VzV5_vKCKInlwuY LMI3h 7X2TYTomhh7Ksmvj4QuxdSqI_DK22PHGdE.hGjYrUuT9he1tHbv1Vb euCUfg Oe6AEY2wL1.cO28XK0jZduwDOp3fZl.VT.jcqcvcQ8XU2aYY9jtgmtg PNTAG 5k8.yn7ZUoyPUNPwE9KeTPsH.bGCclvSBpi1J59fP.23Bb26qs09DdCQ 6nzN uZuDe1bsitjLmeT2Z1NVEfzYSHjxIzAf5OtDfniFsq.xbKcqhUK81Sru5a oO 1dKEdzFLHX5g1sqa3Zl1Rf5uu6LRaf9QWGkvMnKSnAIwNSmrePC4f vbf6e4v SNpQ99KJzSmw5xO4QCxgO4kpZnkDm7GmU39ELG0X-Originating-IP: [77.82.106.156] AuthenticationResults: mta166.mail.ac4.yahoo.com from=usps.com; domainkeys=neutral (no sig); from=usps.com; dkim=neutral (no sig) Received: from 127.0.0.1 (HELO usps.com) (77.82.106.156) by mta166.mail.ac4.yahoo.com with SMTP; Sun, 20 Nov 2011 05:36:35 0800 Received: from group21.345mail.com ([182.131.237.24]) by public.micromail.com.au with SMTP; Sun, 20 Nov 2011 10:19:58 -0300 Received: from asx121.turbo-inline.com ([Sun, 20 Nov 2011 10:06:10 -0300]) by qnx.mdrost.com with ESMTP; Sun, 20 Nov 2011 10:06:10 -0300 Received: from smtp.endend.nl [164.56.248.197] by group21.345mail.com with NNFMP; Sun, 20 Nov 2011 09:56:03 -0300 Message-ID: <AE172D79.82078E7F@usps.com> Date: Sun, 20 Nov 2011 09:30:10 -0300 From: "United States Postal Service" <info@usps.com> User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/85.7 (KHTML, like Gecko) Safari/85.5 MIME-Version: 1.0 To: <donnabaltz@yahoo.com>, <dr_krolak@yahoo.com>, <dollybelle1961@yahoo.com>, <dorasuarez123@yahoo.com>, <drnaveensharma_sharma@yahoo.com>, <dody_dody30@yahoo.com>, <douglas_annakay@yahoo.com>, <dolphyn_72@yahoo.com>, <dooley.eric@yahoo.com>, <drdilekbasaran@yahoo.com>, <dunbrooke2000@yahoo.com>, <dreamsareal2000@yahoo.com>, <doodlebutt129@yahoo.com>, <dtbays@yahoo.com>, <eightersplay7@yahoo.com>, <dot52b@yahoo.com>, <dork1993@yahoo.com>, <dominic.woodfork@yahoo.com>, <dorijean3@yahoo.com>, <droopmillenium@yahoo.com>, <dominque.dixon@yahoo.com> Subject: USPS Delivery Failure Notification Content-Type: multipart/mixed; boundary="------------115531321675532401284600" Content-Length: 37386 Message contains attachments 1 File (27KB) (Image link deleted as it holds the malware that will be triggered if you click on it. Hello! Unfortunately we failed to deliver the postal package you have sent on the 12th of November in time because the recipient's address is erroneous. Please print out the shipment label attached and collect the package at our office. United States Postal Service Note the highlighted material in the Received-SPF: softfail (transitioning domain of usps.com does not designate 77.82.106.156 as permitted sender) It is telling you that the Email Server was not a server owned by the USPS but someone else. The IP address of the suspicious server is 77.82.106.156 Tracking down the bad guys: In the powerpoint Dark Side of the Internet slide (slide 258) is a link to http://networktools.nl/ read the slides following for an explanation of how to use and interpret the results. Select whois and use the IP address 77.82.106.156 see above. We get some strange results for the United States Post Office. i.e. inetnum: netname: descr: descr: descr: descr: country: org: admin-c: tech-c: status: mnt-by: source: remarks: 77.82.104.0 - 77.82.111.255 RU-KAMCHATKA Far East Telecommunications Company (Dalsvyaz) Kamchatka branch Petropavlovsk-Kamchatsky PPPoE dynamic addresses pool RU ORG-FETC4-RIPE KNOC2-RIPE KNOC2-RIPE ASSIGNED PA KAMCHATKA-NOC-MNT RIPE INFRA-AW organisation: org-name: org-type: address: phone: fax-no: admin-c: admin-c: admin-c: admin-c: admin-c: mnt-ref: mnt-ref: mnt-by: source: ORG-FETC4-RIPE Far East Telecommunications Company LIR OJSC Far East Telecommunications Company (Dalsvyaz) 57 Svetlanskaya Street 690950 Vladivostok Russian Federation +7 4152 412285 +7 4152 412711 ANK2555-RIPE MEY-RIPE ER2104-RIPE MVF19-RIPE SSP8-RIPE RIPE-NCC-HM-MNT KAMCHATKA-NOC-MNT RIPE-NCC-HM-MNT RIPE role: address: KAMCHATKA.RU Network Operational Centre Open Joint Stock Company The IP Provider is located in KAMCHATKA Russia (you can see Alaska from there NOT ;-O ). For most people we would immediately delete the email and forget about it!!! For those that need more evidence …. We go to http://whatismyipaddress.com/blacklist-check We get several dozen opinions on the IP address Blacklist Status access.redhawk.org b.barracudacentral.org bl.csma.biz bl.emailbasura.org bl.spamcannibal.org bl.spamcop.net bl.technovision.dk blackholes.five-ten-sg.com blackholes.wirehub.net blacklist.sci.kun.nl block.dnsbl.sorbs.net blocked.hilli.dk cart00ney.surriel.com cbl.abuseat.org dev.null.dk dialup.blacklist.jippg.org dialups.mail-abuse.org dialups.visi.com dnsbl.ahbl.org dnsbl.antispam.or.id dnsbl.cyberlogic.net dnsbl.kempt.net dnsbl.njabl.org dnsbl.sorbs.net dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net duinv.aupads.org dul.dnsbl.sorbs.net dul.ru escalations.dnsbl.sorbs.net fl.chickenboner.biz hil.habeas.com http.dnsbl.sorbs.net intruders.docs.uu.se korea.services.net mail-abuse.blacklist.jippg.org misc.dnsbl.sorbs.net msgid.bl.gweep.ca new.dnsbl.sorbs.net no-more-funn.moensted.dk old.dnsbl.sorbs.net pbl.spamhaus.org proxy.bl.gweep.ca psbl.surriel.com pss.spambusters.org.ar rbl.schulte.org rbl.snark.net recent.dnsbl.sorbs.net relays.bl.gweep.ca relays.bl.kundenserver.de relays.mail-abuse.org relays.nether.net rsbl.aupads.org sbl.spamhaus.org smtp.dnsbl.sorbs.net socks.dnsbl.sorbs.net spam.dnsbl.sorbs.net spam.olsentech.net spamguard.leadmon.net spamsources.fabel.dk tor.ahbl.org web.dnsbl.sorbs.net whois.rfc-ignorant.org xbl.spamhaus.org zen.spamhaus.org zombie.dnsbl.sorbs.net bl.tiopan.com WhatIsMyIPAddress.com does not run, manage, or have any direct relationship with any blacklist. We provide a single location to check the status of an IP address on 3rd party blacklists. WhatIsMyIPAddress.com does not recommend the usage of any specific blacklist and does not condone blacklists that require payment for removal. Our inclusion of such blacklists are for the purposes of completeness and should not be consider to be in support of that blacklist's usage. Legend = Not Listed = Listed = Timeout Error = Offline Related Articles What is a mail server? What is a DNSBL? The important ones are Red ! flags that says that this black list site is flagging the IP address as dangerous. The one flags associated with http://www.spamhaus.org/ are of particular interest because of their reputation.