[pchelpers] Re: non text virus


Hello Scott

Looked at one it had lines and lines of AAAAAAAA then all kinds of letters
then more lines of AAAAAAA, but they were little bitty AAAAAAAA 's. Thanks
you are a good teacher.

Pen

> Hi again, Pen!
>
> You're using Outlook Express 6.  Right-click on the line for the message
> and select Properties.  Click Details, then click Message Source.  Look
> for a line that looks like this:
>
>    Content-Type: multipart/mixed;  boundary="(whatever)"
>
> Note the (whatever) text.  Go down to the bottom and see if that text is
> at the end.  If it doesn't, the message is malformed; Outlook and
> Outlook Express don't like these, and messages that are malformed like
> this are virtually guaranteed to be spam.
>
> Now, go back up to the top, and search again, for a set of three lines
> that look like this:
>
>    (whatever)
>    Content-Type: text/plain; charset="iso-8859-1"
>    Content-Transfer-Encoding: base64
>
> If you see this, and you see "gibberish" following (nothing readable,
> just letters and numbers), then the message has been obfuscated by the
> spammer to keep content filters from flagging it.  This is a
> near-certain indication that the message is spam.
>
> Here's an example message:
>
> --------------------------------------------------
> [some headers snipped for privacy]
> Subject: Euro is running now is the time to bite.
> Date: Fri, 26 Jul 0102 15:13:01 -0900
> MiME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_00C8_68D88A0B.A5514B27"
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.2627
> Importance: Normal
> X-UIDL: 274660955
> Status: U
>
> ------=_NextPart_000_00C8_68D88A0B.A5514B27
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: base64
>
>
> T24gSmFudWFyeSAxc3QgMjAwMiwgdGhlIEV1cm9wZWFuIGNvdW50cmllcyBi
> ZWdhbg0KdXNpbmcgdGhlIG5ldyBFdXJvLiAgTmV2ZXIgYmVmb3JlIGhhdmUg
> c28NCm1hbnkgY291bnRyaWVzIHdpdGggc3VjaCBwb3dlcmZ1bCBlY29ub21p
> ZXMgdW5pdGVkDQp0byB1c2UgYSBzaW5nbGUgY3VycmVuY3kuICBXZSB3b3Vs
> ZCBsaWtlIHRvIHNlbmQgeW91IGEgDQpGUkVFIHJlcG9ydCBvbiB3b3JsZCBj
> dXJyZW5jeS4gIEp1c3QgdmlzaXQgb3VyIHNpdGUgdG8gDQpyZXF1ZXN0IHlv
> dXIgRXVybyByZXBvcnQ6DQoNCmh0dHA6Ly93d3cubmV3dG9waWNzLmNvbS9m
> cmVlZXVyb3JlcG9ydC8NCg0KSW4gYWRkaXRpb24gdG8gb3VyIGN1cnJlbmN5
> IHJlcG9ydCwgeW91IGNhbiByZWNlaXZlDQpvdXIgRlJFRSBJTlZFU1RNRU5U
> IFBBQ0tBR0U6DQoNCiogIExlYXJuIGhvdyAkMTAsMDAwIGluIG9wdGlvbnMg
> d2lsbCBsZXZlcmFnZSAkMSwwMDAsMDAwIGluDQpFdXJvIEN1cnJlbmN5LiBU
> aGlzIG1lYW5zIGV2ZW4gYSBzbWFsbCBtb3ZlbWVudCBpbiB0aGUgbWFya2V0
> DQpoYXMgaHVnZSBwcm9maXQgcG90ZW50aWFsLg0KDQpJZiB5b3UgYXJlIG92
> ZXIgYWdlIDIxIGFuZCBoYXZlIHNvbWUgcmlzayBjYXBpdGFsLCBpdCdzDQpp
> bXBvcnRhbnQgdGhhdCB5b3UgZmluZCBvdXQgaG93IHRoZSBFdXJvIHdpbGwN
> CmNoYW5nZSB0aGUgZWNvbm9taWMgd29ybGQgYW5kIGhvdyB5b3UgY2FuIHBy
> b2ZpdCENCg0KaHR0cDovL3d3dy5uZXd0b3BpY3MuY29tL2ZyZWVldXJvcmVw
> b3J0Lw0KDQokMTAsMDAwIG1pbmltdW0gaW52ZXN0bWVudA0KDQpJbnZlc3Rp
> bmcgaW4gRm9yZXggQ3VycmVuY3kgb3B0aW9ucyBpcyBzcGVjdWxhdGl2ZSBh
> bmQgaW5jbHVkZXMgYSANCmhpZ2ggZGVncmVlIG9mIHJpc2suIEludmVzdG9y
> cyBjYW4gYW5kIGRvIGxvc2UgbW9uZXkuDQoNCmh0dHA6Ly93d3cubmV3dG9w
> aWNzLmNvbS90YWtlbWVvZmYvIFRvIE9wdE91dC4NCg0KNDQxM0ZkdEU2LTA1
> NkdHT1Q4Njc3VGNCczctMjAyZXlVUzY5OTN0REhjMS01NTNsNDQ=
> --------------------------------------------------
>
> I know about this because I sent this to an anti-spam mailing list to
> see what they thought.
>
> --Scott.
>
>

Other related posts: