Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Delivery Status Failure Notice That Packed A Wallop - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Delivery Status Failure Notice That Packed A Wallop

 

This morning in my abuse@ inbox I had an email that appeared to come from one of my users.  It appeared to be the typical Delivery Status Notification Failure.  
As the mail admin and abuse coordinator for a small ISP it is not unusual for the customers to forward these notices to me with a request to determine why
they can't email.  

As I have done a few hundred times in the past I right clicked on the failure notice to look at the reason given by the NDR.  Imagine my shock when my
computer immediately began running JAVA.  I immediately killed the process and booted my computer into safe mode so that I could try to determine the
just exactly what had happened. As soon as the laptop booted up my AV and Windows Defender both reported that I had Trojan.bredo.  I ran my cleanup
and researched the characteristics of this Trojan and the files that are altered.  About 2 hours later it appears that I was able to recover from this attempt
to infect my computer. 

I just wanted to give you a heads up.  It looks the scumbags are now using NDR and Failure reports to attempt to further their malicious activity.

Deb Hale Long Lines, LLC

Deborah

278 Posts
ISC Handler
Sounds to me like you have HTML emails with auto-fetch enabled. Reading mail in plain-text can solve that problem.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!