Another New Spam Being ‘Tested’ With HTML Attachment From Amazon

It’s just too weird, but I suspect we’re all being set up for something bigger and not as harmless.

NOTE: Since this posting originally went up I have been tipped to javascript contained within the seemingly innocent html attachment. I will be decoding it later tonight and will post my results.

I’m posting this more to attract other interested parties than anything. Last weekend I posted an entry about a mysteriously benign spam that was going out by the millions. This afternoon it’s something new though I suspect it’s coming from the same person/people.

The spam again is sent to a seemingly random non-existent addresses on my domain (i.e. xfswgfsdfsf@geofffox.com). It’s coming from seemingly forged random return addresses. Again it’s subject is “hello.”

There are two big differences from the last spam attack.

First, this spam contains a payload in html with a randomly numbered filename. Html is the basic language of the worldwide web. All web pages at their simplest are made of html.

Second, The body text in each is different though typical of ‘socially engineered’ spams. One reads

The resume document is attached.

Another says

Here’s that file that you wanted.

Like the last time the payload is totally harmless. Like last time the payload has no link back to the sender. All the links on it are legitimate links at amazon.com.

At least now this spam is making it through Gmail’s filters.

I am truly puzzled. As was the case last time I’m glad to act as a focal point for anyone with theories or questions.

It’s just too weird, but I suspect we’re all being set up for something bigger and not as harmless.

11 thoughts on “Another New Spam Being ‘Tested’ With HTML Attachment From Amazon”

  1. I’ve received some of this spam too. If you look at the source of the html file, you see some javascript in the middle of the file. That script has a frame detection routine and some urlencoded html that will send the viewer to another site. I haven’t looked at the site it goes to yet.

    1. I will look tonight. Obviously Vince a javascript payload separates today’s from this past weekend’s spam run. Though it’s impossible to tell for sure it seems likely they comes from the same source.

  2. Geoff, Is this something that is only being received through Gmail? I use yahoo…and I do get a LOT of spam…but have yet to receive anything like this….I read your blog post about the previous spam email you received and I am intrigued and worried as well.
    As always I NEVER open files from the unknown…..and if I start receiving attachments from friends, I usually ask first before opening any file.

    1. I have wisely/stupidly decided to receive mail sent to any mailbox at geofffox.com… even ones that don’t exist. That’s how my Gmail spam folder has over 40,000 spams for the past month alone! It also lets me see a much more robust corpus of spam, like this. Trust me you might not have personally gotten any, but Yahoo has been getting them by the boatload!

      It’s always wise to not open any attachment you weren’t expecting regardless of the sender. In my case I opened this on a Linux machine which is immune to Windows targeted viruses.

  3. Geoff, I’ve received 10 of these messages this afternoon, all with different names and subject lines. The only common denominator is “hello – …”. Each message was banished to the spam box but Gmail doesn’t seem to be adjusting to this. I’ll be curious to read more about the intention of the spammer.

  4. Just got a new one with a different payload. This one is only javascript and 2 blocks of urlencoded code. The main difference is that the second block looks to be machine code. Probably something nasty.

Leave a Reply to Vince Batchelor Cancel reply

Your email address will not be published. Required fields are marked *