今のトレンドですねぇ。請求書メールに載せてランサムウェアが・・・。
ある意味間違ってはいないんですが、ランサムウェアが実行された後に
請求書が出ますから・・・w
☆subject
FW: Payment 16-03-#65191807
☆本文
Dear rurineko,
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Tabatha Watkins
Account Manager
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
☆ヘッダー
Return-Path: <WatkinsTabatha62645@telepac.pt>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.hogehoge.com
X-Spam-Level:
X-Spam-Status: No, score=-6.1 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT,NO_RECEIVED,NO_RELAYS autolearn=ham version=3.3.1
X-Original-To: rurineko@hogehoge.com
Delivered-To: rurineko@hogehoge.com
X-Virus-Scanned: amavisd-new at hogehoge.com
X-DomainKeys: Sendmail DomainKeys Filter v1.0.1 mx.hogehoge.com B9B0C61A3E0
From: Tabatha Watkins <WatkinsTabatha62645@telepac.pt>
X-DomainKeys: Sendmail DomainKeys Filter v1.0.1 mx.hogehoge.com EE64961A3DF
To: rurineko <rurineko@hogehoge.com>
Subject: FW: Payment 16-03-#659807
MIME-Version: 1.0
Message-Id: <14915d0022927732.07F1BD06DE@hogehoge.com>
Date: Fri, 11 Mar 2016 11:31:26 +0100
Content-Type: multipart/mixed; boundary=”—-==–bound.320d98.d6551ca5.hogehoge.com”
☆サーバログ 実データ サーバに入ってデータを引っ張ってきました。
---- 検索結果 ----
Mar 11 20:31:30 mx postfix/cleanup[13557]: EE6ss4961A3DF: message-id=<1491500229277ss32.07F1BD06DE@higehige.com>
Mar 11 20:31:30 mx postfix/cleanup[13557]: B9B0C61A3E0: message-id=<149150022927732.0ss7F1BD06DE@higehige.com>
Mar 11 20:31:31 mx amavis[12376]: (12376-16) Passed CLEAN {RelayedInbound}, [82.154.1.54] <WatkinsTabatha62645@telepac.pt> -> <rurineko@higehige.com>, Message-ID: <1491500229277ss32.07F1BD06DE@higehige.com>, mail_id: SmmIguTc12II, Hits: -, size: 6925, queued_as: B9B0C61dsadsaA3E0, 544 ms
Mar 11 20:31:31 mx spamd[450]: spamd: processing message <149150022927s732.s07F1BDs06DE@higehige.com> for rurineko:102
Mar 11 20:31:31 mx spamd[450]: spamd: result: . -6 – BAYES_00,CONTENT_TYPE_PRESENT,NO_RECEIVED,NO_RELAYS scantime=0.5,size=7113,user=rurineko,uid=102,required_score=13.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=38241,mid=<149150022927732.07F1aaBD06DE@higehige.com>,bayes=0.000001,autolearn=ham
---- 検索結果終了 ----
ランサムウェアは、サーバに入れているウイルス対策ソフトでは、
ヒットしないっぽいです。CLEANってでちゃってますね。
しかも、スパムフィルターも通過してるし
うまくつくってますねぇ。
☆送信ホスト情報
82.154.1.54
送信国 ポルトガル 遠路はるばる・・・。
☆プロバイダ-情報
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘82.154.0.0 – 82.154.243.255’
% Abuse contact for ‘82.154.0.0 – 82.154.243.255’ is ‘abuse@mail.telepac.pt’
inetnum: 82.154.0.0 – 82.154.243.255
netname: MEO-BROADBAND
descr: PT Comunicacoes S.A.
descr: Dynamic Address Range
country: PT
remarks: NCC #2004061957
admin-c: TP3302-RIPE
tech-c: TP3302-RIPE
status: ASSIGNED PA
mnt-by: TELEPAC-MNT
mnt-routes: TELEPAC-MNT
created: 2004-06-17T15:23:31Z
last-modified: 2016-02-05T17:37:06Z
source: RIPE # Filtered
role: MEO-RESIDENCIAL
org: ORG-TCIS1-RIPE
address: Local Internet Registry Management
address: MEO – SERVICOS DE COMUNICACOES E MULTIMEDIA S.A.
address: Av. Fontes Pereira de Melo, 40 – 3 Bl A
address: Forum Picoas – 1069-300 Lisboa
address: Portugal
phone: +351-215000000
admin-c: LL1052-RIPE
admin-c: MCN5-RIPE
admin-c: HCR20-RIPE
admin-c: NPM17-RIPE
admin-c: DPM37-RIPE
admin-c: LAS102-RIPE
admin-c: TPM7-RIPE
tech-c: RTM15-RIPE
tech-c: FSG53-RIPE
tech-c: JCO39-RIPE
tech-c: PPB29-RIPE
tech-c: HAC24-RIPE
tech-c: HCO6-RIPE
tech-c: AA2895-RIPE
tech-c: PG259-RIPE
nic-hdl: TP3302-RIPE
abuse-mailbox: abuse@mail.telepac.pt
mnt-by: TELEPAC-MNT
created: 2002-08-12T09:57:20Z
last-modified: 2015-06-05T10:59:42Z
source: RIPE # Filtered
% Information related to ‘82.154.0.0/15AS3243’
route: 82.154.0.0/15
descr: PT Comunicacoes S.A.
origin: AS3243
mnt-by: TELEPAC-MNT
created: 2003-11-20T15:22:56Z
last-modified: 2014-01-31T16:21:38Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.85.1 (DB-2)
とまぁ、2通ランサムウェアが入っていましたので
くれぐれも、こういうたぐいのメールが来ても開かないようにご注意ください。
☆興味深い記事がでていた!Macだから大丈夫だよね? 危ないですねぇ。
[blogcard url=”http://www.itmedia.co.jp/enterprise/articles/1603/07/news068.html”]