CDS Group Email Spam/Malicious Attachments

CDS Group Email/Malicious Attachments

Over recent days, my mail relay has been receiving repeated email spam/malicious attachments to various accounts where the ‘from’ address claims to be ‘accounts@cdsgroup.co.uk’. CDS Group is a Courier Business operating in the UK. The emails contain zip files, and in-turn, the zip file contains a malicious xls.scr file which can cause nastiness on your PC. More information on CDS Group Email can be seen on the excellent Dynamoo Blog.

Here, from my mail logs is one such attempt.

Banned name: .exe,invoice_cdsgroup_799543.xls/invoice_cdsgroup_799543.xls.scr
Content type: Banned
Internal reference code for the message is 22915-03/KkviimjUhz4l
First upstream SMTP client IP address: [202.43.74.182]
According to a 'Received:' trace, the message apparently originated at:
 [202.43.74.182], [202.43.74.182] unknown [202.43.74.182]
Return-Path: <accounts@cdsgroup.co.uk>
From: "Kris Haley CDS Group" <accounts@cdsgroup.co.uk>
Message-ID: <20140807180922.A9A8119A8F8E354F@cdsgroup.co.uk>
Subject: CDS Invoice: 412-96221
The message has been quarantined as: banned@unimatrixzero.co.uk

CDS Group as far as I can tell don’t operate in Indonesia which is where the originating IP is from –

inetnum:        202.43.72.0 - 202.43.75.255
netname:        INTERLINK-TECH-ID
descr:          PT. INTERLINK TECHNOLOGY
descr:          Internet Service Provider
descr:          Cyber Data Centre 5th Floor
descr:          Cyber Building.
descr:          Jl. Kuningan Barat no. 8
descr:          Jakarta Selatan, 12710
country:        ID

So, CDS Group are completely innocent in this case, and I feel sorry for them. It’s a trivial matter to fake the ‘from’ address on an email, anyone can do it. Fortunately, they’ve now deleted the ‘accounts’ email alias on their domain, so anything claiming to be from that address is invalid.

It’s also a trivial matter to block emails claiming to be from ‘accounts@cdsgroup.co.uk’. I use Postfix as my mail relay software, and have added the following line to a ‘sender_access’ DB file which blocks email matching certain conditions.

accounts@cdsgroup.co.uk     REJECT May your shit come to life and kiss you

As the SMTP 550 response says ‘May your shit come to life and kiss you’ (quoting the awesomeness of Frank Zappa).

Leave a Reply