Sponsored by..

Friday 2 August 2013

Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:
Subject: Trojan Fake Police
Subject: Virus Gendarmerie
Subject: Virus Gendarmerie Nationale
Subject: Trojan Ransomware

Trojan Fake Police / Virus Gendarmerie Nationale : violation de la loi
francaise http://www.malekal.com/

If you are getting these, it is because you have been flagged up via a "reverse listwashing" process as somebody who is likely to complain about spam. Reporting the originating IP of the spam email would probably be helpful, reporting malekal.com on the other hand will only help the bad guys to remove a useful resource.


Patrick said...

At the Malekal.com site, my iolo System Shield protection detected 5 intrusion attempts into my system, including js redirects, and an attempt to install a trojan.

So the comment above inferring that Malekal.com is one of the 'good guys', I don't believe it.

This is in reference to information I received and attempted to verify as genuine. It is my opinion that it is not:

Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :


The August 11, they tried to get my website blacklisted using hacked website :

Conrad Longmore said...

@Patrick: It's a fairly well known French-language malware research site, if you're in that narrow sort of field. I have no doubt that it is legitimate.

However, it does look like somebody has gotten to the site to load malware in the recent past (see Google, URLquery). And I notice that at the moment the site is offline.. so perhaps somebody is trying a rather more direct approach at getting it offline.