TIP: Click on subject to list as thread! ANSI
echo: internet
to: All
from: August Abolins
date: 2021-03-02 09:53:00
subject: Re: .pls?

 > A new one. I've never seen a .PLS used as bait.

 > https://photos.kolico.ca/tmp/dhl.jpg
 > https://photos.kolico.ca/tmp/dhl-1.jpg


Another interesting thing about that one. Although the .pls file registers as
59B in the mail header, the actual file is 0B.

Looking at the raw message:

X-EN-OrigIP: 192.163.245.86
Received: from crystalnet by host.anmoul.net.in with local (Exim 4.93)
	(envelope-from )
	id 1lH1yz-00038T-AP
	for books@ashlies.ca; Tue, 02 Mar 2021 10:10:25 +0000
To: books@ashlies.ca
Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZvcm1zIHlvdSB0aGF0IHlvdXIgc2hpcG1lbnQg
TsKwIDk0MzAyNDU5Njg1IGlzIHN0aWxsIHBlbmRpbmcgIQ==?=
X-PHP-Script: crystal.net.in/mat/metoo.php for 20.52.179.36
                                 ^^^^^^^^^

From: =?UTF-8?B?REhMIEVYUFJFU1M=?= 
Message-Id: 

Looks like this is sneaky attempt to launch a remote .php file.

I also did not realize that the header contents could be obfuscated with UTF-8
prefixes:

Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZ...

Buggers.
--- SBBSecho 3.13-Linux
                                                                                                
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)

SOURCE: echomail via QWK@pharcyde.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.