Threat Level: green Handler on Duty: Russ McRee

SANS ISC: What's the goal? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's the goal?
Several of our users got two strange spams (differing only in starting link, one below). The first part is the link. The extra . in front of the domain makes it an invalid name that won't resolve. A mistake???

If you remove the period, and I use my real user-agent string, I get a 404. But if I change it to IE on Win8, I get what looks like fake pharmacy news. But if that's all it is, a pill pushing site, why the user-agent filtering? urlquery and virustotal give the site a clean bill of health.

Anyone know what the goal is?

== Spam sample ==
Subject: Re:


hxxp://.price.poojarosebeauty.com

<fake name>

== Links ==

hxxp://price.poojarosebeauty.com redirects to

hxxp://somelimitlessmind.asia/e9eac2df86c7e854/c53a/62c0/lmf?key=aER5clJOVnFSWGVFYjY4bW5DMkEyVmZtY1lWdzB3NDZUUklXR3BUVm9ta3A5N1ZUeG10Vko3S3hBNkg3RUgyQzFJQmtvRGNkNUZ1ZS9nNUk0dS80QUFPa0dNY2JUT3NXajFoY1JqUjlQR1Fpc3JyMG5ON1VCM0w2TWM0RWRtUVZPNlBkYUFtdEN5SXN4YkcvaU5hZnJnPT0=


URL Query report using IE and Windows user-agent:

http://urlquery.net/report/71e18405-a3ba-448d-87b1-be56497da379
R

33 Posts

Sign Up for Free or Log In to start participating in the conversation!