I often get Transport for London information messages. I suspect a few million people in London do. But until just now, I’ve not seen it used as a malware distribution trick. Here’s what they look like:
Received: from [188.8.131.52] ([184.108.40.206]) by
(8.14.4/8.14.4) with ESMTP id t5QAj0ns002218 for ; Fri, 26 Jun 2015 11:45:01 +0100 (BST) (envelope-from firstname.lastname@example.org) Date: Fri, 26 Jun 2015 12:45:04 +0200 From: Subject: Email from Transport for London To: Message-ID: MIME-Version: 1.0 Importance: Normal X-Priority: 3 (Normal) X-Mailer: SAP Web Application Server 7.00 Content-Type: multipart/mixed; boundary="=_5557BCCC15D34570E10080000A82A3EC" Envelope-To: --=_5557BCCC15D34570E10080000A82A3EC Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: Email from Transport for London Dear Customer, Please open the attached file to view correspondence from Transport for London. If the attachment is in DOC format you may need Adobe Acrobat Reader to read or download this attachment. Thank you for contacting Transport for London. Business Operations Customer Service Representative ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com This email and any attachment are intended solely for the addressee, are s= trictly confidential and may be legally privileged. If you are not the int= ended recipient any reading, dissemination, copying or any other use or re= liance is prohibited. If you have received this email in error please noti= fy the sender immediately by email and then permanently delete the email. ______________________________________________________________________ --=_5557BCCC15D34570E10080000A82A3EC Content-Disposition: attachment; filename="AP0210932630.doc" Content-Type: application/doc; name="AP0210932630.doc" Content-Transfer-Encoding: base64 Content-Description: AP0210932630.doc 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAJwAAAAAA
The file attachment is a dodgy Microsoft Word document, unknown to malware scanners, and in spite of the faulty English it’s unlikely that Bayesian analysis will think it odd, although the SPF records don’t match and the IP address is currently flagged as slightly dodgy with no reverse lookup. It belongs to Telekom Austria, and I suspect it’s NOT a botnet at this time.
If anyone else has received one, I’d be interested to know! I let TFL know, and, refreshingly, got through to the right people and they took the matter seriously. This is hardly ever the case, so my feelings for TFL have gone up several notches!