> A new one. I've never seen a .PLS used as bait.
> https://photos.kolico.ca/tmp/dhl.jpg
> https://photos.kolico.ca/tmp/dhl-1.jpg
Another interesting thing about that one. Although the .pls file registers as
59B in the mail header, the actual file is 0B.
Looking at the raw message:
X-EN-OrigIP: 192.163.245.86
Received: from crystalnet by host.anmoul.net.in with local (Exim 4.93)
(envelope-from )
id 1lH1yz-00038T-AP
for books@ashlies.ca; Tue, 02 Mar 2021 10:10:25 +0000
To: books@ashlies.ca
Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZvcm1zIHlvdSB0aGF0IHlvdXIgc2hpcG1lbnQg
TsKwIDk0MzAyNDU5Njg1IGlzIHN0aWxsIHBlbmRpbmcgIQ==?=
X-PHP-Script: crystal.net.in/mat/metoo.php for 20.52.179.36
^^^^^^^^^
From: =?UTF-8?B?REhMIEVYUFJFU1M=?=
Message-Id:
Looks like this is sneaky attempt to launch a remote .php file.
I also did not realize that the header contents could be obfuscated with UTF-8
prefixes:
Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZ...
Buggers.
--- SBBSecho 3.13-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)
|