This is a big one, coming from hitherto unlisted botnet addresses – and it’s coming right now. I’m cross referencing the blacklisted addresses now to see if I can see who’s had an expansion lately. Spamassassin isn’t that great at picking it up, with about 10% getting straight through and about 90% failing to reach five points.
It’s a Microsoft Word document, apparently containing controversial malware Peals.F!plock. Little is known about this, other than Security Essentials flagging it but others say it’s a false positive. Well someone’s gone to a lot of trouble to sent it a “false positive”.
The messages all claim to come from “Stephanie Greaves”, sgreaves at btros.co.uk, with a fixed subject of COS007202, which is unusual. You’d have thought that if you’re using a clean botnet you’d randomise things a bit. This is a genuine domain name (with no SPF – come on guys!) and for all I know, Stephanie Greaves is the name of a genuine victim. Their MX is a virtual server and they’re probably wondering why it’s been heavily loaded since 9am.
Whoever’s doing this has a pretty comprehensive spamming list, containing nearly all of my honeypots.
This same malware is now being sent out claiming to be from firstname.lastname@example.org with the subject “Your receipt for today’s Ocado delivery”, and an HTML message looking like an Ocado receipt (as far as I can tell – I shop for my own groceries!) Again, Ocado doesn’t seem to have SPF set up.
The message text is:
HERE’S YOUR RECEIPT
Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.
Your order doesn’t have any substitutions, everything’s there.
See you later,
The fake bombardier one reads:
Good morning, Please see attached purchase order. Kind regards, Stephanie Greaves cid:image002.jpg@01D01077.BAC48BA0 Administration Apprentice Bombardier Transportation (Rolling Stock) UK Ltd Electronics, Cabling, & Interior Division Litchurch Lane, Derby, DE24 8AD
Update: 20-Oct-15 11:22
The malware spam now looks like this:
From: Shaun Buzzard <email@example.com> To: <to_addr}}> <-- Note error Subject: Order
Please find attached order.