Return-Path: <somnath.bharti@gmail.com>
Received: from unknown (HELO blade5.cesmail.net) (192.168.1.215)
by c60.cesmail.net with SMTP; 14 Nov 2004 13:43:23 -0500
Received: (qmail 5069 invoked by uid 1010); 14 Nov 2004 18:43:22 -0000
Delivered-To: spamcop-net-dynamoo@spamcop.net
Received: (qmail 5045 invoked from network); 14 Nov 2004 18:43:21 -0000
Received: from unknown (192.168.1.101)
by blade5.cesmail.net with QMQP; 14 Nov 2004 18:43:21 -0000
Received: from rproxy.gmail.com (64.233.170.197)
by mailgate.cesmail.net with SMTP; 14 Nov 2004 18:43:21 -0000
Received: by rproxy.gmail.com with SMTP id r35so540853rna
for <dynamoo@spamcop.net>; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
b=AItQWQnfUOPREzb2USZ1AAdfuMy54ME4VonsHz7VdB93Wd8apOkFSOrdqjkbLLFqI6nUaFy2cKrbLXTrFSLC0p5Kj2ZdwK0Qb6CFZjbS24HecjymNLUahhMUBp3AbEb0M/t/EXhC4N0HZeCD06YP/TK7XF0dZaqNweevm4cXL4E=
Received: by 10.38.102.45 with SMTP id z45mr1019046rnb;
Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Received: by 10.38.151.16 with HTTP; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Message-ID: <4e0e2d5304111410431d08a7bb@mail.gmail.com>
Date: Sun, 14 Nov 2004 10:43:20 -0800
From: Somnath <somnath.bharti@gmail.com>
Reply-To: Somnath <somnath.bharti@gmail.com>
To: dynamoo@spamcop.net
Subject: surprising and serious
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=RCVD_BY_IP version=3.0.0
X-SpamCop-Checked: 192.168.1.101 64.233.170.197 10.38.102.45 10.38.151.16
Hi Conrad,
I was taken by surprise to find you listing my name, one of my
properties address and my picture in an article on a company named
"TopSites LLC" on your site. I don't know on what basis you have been
talking so emphatic without cross verifying with the person you are
talking about. To my utter surprise, you have been having this article
on your site accusing me of being related to a company I have heard
only through your article. Please have the same removed ASAP and
explain to me what made you write all this about a person, not even
remotely attached to any such company.
Please acknowledge of this email and have any and everything related
my name, my pic and c-28 address removed. I am available at
+91-9891819893, if you have anything to talk about. Also, post on the
same page an apology for this grievous mistake on your part.
--
Regards,
Somnath Bharti
| advrzc.myftp.org |
| amyoau.myftp.biz |
| aokljwwsap.serveftp.com |
| bgocodwsiu.myftp.org |
| bpknbvmc.serveftp.com |
| cjhkxfpdw.serveftp.com |
| cvxeitw.serveftp.com |
| cxrhtcau.myftp.biz |
| czwaiys.myftp.org |
| dhdwjwve.myftp.org |
| djqlcce.myftp.org |
| drituglgjh.serveftp.com |
| drpmsmt.serveftp.com |
| ehetlmna.myftp.biz |
| euimho.serveftp.com |
| fvyzhy.serveftp.com |
| hljozqutc.myftp.org |
| hlwswbaap.serveftp.com |
| hwtlzdxic.serveftp.com |
| idoplhj.serveftp.com |
| iyrseedlt.myftp.biz |
| lkuvivr.myftp.biz |
| lxeoic.myftp.org |
| orrlnypdvz.myftp.biz |
| osuqlc.myftp.org |
| plwxycxij.myftp.org |
| pmkawqgvob.myftp.org |
| puifnjav.myftp.biz |
| sbrckuod.serveftp.com |
| thtnuj.myftp.biz |
| ucuqgd.myftp.org |
| uqqyscgq.myftp.org |
| uuzkpb.myftp.biz |
| welfcsuybw.serveftp.com |
| ykypxoub.myftp.org |
| yrziqui.serveftp.com |
| yxoiyjbjt.myftp.biz |
Date: Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.
From: Callie Figueroa [Callie@victimdomain]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.
Date: Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50.
From: Doris Clay [Doris@rbs.co.uk]
Subject: Important Docs
Account report.
Tel: 01322 589422
Fax: 01322 296116
email: Doris@rbs.co.uk
This information is classified as Confidential unless otherwise stated.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Date: Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.
From: "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject: Successful Receipt of Online Submission for Reference 3608005
Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.
The submission for reference 485/GB1392709 was successfully received and was not
processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
Date: Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41.
From: TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject: TNT UK Limited - Package tracking 798950432737
Your package have been picked up and is ready for dispatch.
Connote # : 798950432737
Service Type : Export Non Documents - Intl
Shipped on : 05 Feb 14 00:00
Order No : 2819122
Status : Driver's Return Description : Wrong Address
Service Options: You are required to select a service option below.
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 798950432737
The options, together with their associated conditions
From: Alison George allison.george@transferduc.nlAttached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind.
Date: 5 February 2014 22:41
Subject: Payment Fund
ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline
Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551
| What's been found | Severity Level |
| Creates a startup registry entry. |
| Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| server.exe | %Temp%\server.exe | 57,344 bytes |
| Registry Modifications |
| Other details |
Date: Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
From: GRP Lloydslink Tech [GRPLloydslinkTech@LLOYDSBANKING.COM]
Subject: LloydsLink reference: 8255820 follow up email and actions to be taken
Lloyds TSB
Help
(New users may need to verify their email address)
If you do not see or cannot click / tap the Download attachment button:
Desktop Users:
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Mobile Users:
Install the mobile application.
Protected by the Voltage SecureMail Cloud
SecureMail has a NEW LOOK to better support mobile devices!
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE™
Copyright 2002-2014 Voltage Security, Inc. All rights reserved.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500
Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41
Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.
Telephone calls may be monitored or recorded.
Date: Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51 (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload [1] [2] [3] with only the Malwr report having any real detail.
From: Barclays Bank [support@barclays.net]
Subject: Barclays transaction notification #002601
Transaction is completed. £9685 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.
From: World Food Programme newsletter@newsletter.loyaltyciti.comThe email originates from 208.95.135.84 [mail3345.emailciti.mkt3942.com] (Silverpop Systems, US) and spamvertises an intermediate site at links.emailciti.mkt3941.com on 74.112.69.20 (Silverpop again) and then forwards to www.wfp.org/hunger-hot-spots if you click through.
Reply-To: newsletter@newsletter.loyaltyciti.com
Date: 4 February 2014 09:58
Subject: 60% of people here don't have food
Signed by: newsletter.loyaltyciti.com
If you are unable to see the message below, click here to view.
Share: Delicious Digg Facebook LinkedIn Twitter
world food programme
There’s a common link between a mother in Central African Republic, a father in South Sudan, and a child in Syria. Hunger. Fortunately, there’s also a common solution – The World Food Programme (WFP)..
WFP provides food assistance so families can break the cycle of poverty and hunger. Our goal? Zero hunger. We rely on the support of our online community to make this a reality.
Will you join us? Sign up at wfp.org/join to receive monthly updates and info about how you can help achieve a zero hunger world.
When conflict erupts, hunger soon follows. In CAR, South Sudan, and Syria, WFP is fighting for families who are being pushed to the brink. Find out how we’re responding to ensure families have the security that comes with a daily meal.
central african republic
level 3 emergency
See where we’re sounding the alarm.
remembering what matters delivering despite
WFP’s Rasmus Egendal reflects on what really matters in Syria: The People. Thanks to our supporters like you, WFP has been able to deliver food in South Sudan rom the start.
starting stars from car reporting from damascus
Get the facts & figures you should know: 60% of families in Central African Republic have no food. Watch an update from WFP’s Executive Director who met Syrian families relying on WFP assistance.
follow wfp facebook twitter
You have received this email message from EmailCiti, the leading Email Behavior and Lead Generation Company in the GCC & Middle East. Your email address has been recorded because you have subscribed to one of our email &newsletters services or are registered with one of our Partner and affiliate sites. For more information, visit www.emailciti.com
If you don't wish to receive these emails anymore please click here.
