CDS Group Email/Malicious Attachments
Over recent days, my mail relay has been receiving repeated email spam/malicious attachments to various accounts where the ‘from’ address claims to be ‘email@example.com’. CDS Group is a Courier Business operating in the UK. The emails contain zip files, and in-turn, the zip file contains a malicious xls.scr file which can cause nastiness on your PC. More information on CDS Group Email can be seen on the excellent Dynamoo Blog.
Here, from my mail logs is one such attempt.
Banned name: .exe,invoice_cdsgroup_799543.xls/invoice_cdsgroup_799543.xls.scr Content type: Banned Internal reference code for the message is 22915-03/KkviimjUhz4l First upstream SMTP client IP address: [22.214.171.124] According to a 'Received:' trace, the message apparently originated at: [126.96.36.199], [188.8.131.52] unknown [184.108.40.206] Return-Path: <firstname.lastname@example.org> From: "Kris Haley CDS Group" <email@example.com> Message-ID: <20140807180922.A9A8119A8F8E354F@cdsgroup.co.uk> Subject: CDS Invoice: 412-96221 The message has been quarantined as: firstname.lastname@example.org
CDS Group as far as I can tell don’t operate in Indonesia which is where the originating IP is from –
inetnum: 220.127.116.11 - 18.104.22.168 netname: INTERLINK-TECH-ID descr: PT. INTERLINK TECHNOLOGY descr: Internet Service Provider descr: Cyber Data Centre 5th Floor descr: Cyber Building. descr: Jl. Kuningan Barat no. 8 descr: Jakarta Selatan, 12710 country: ID
So, CDS Group are completely innocent in this case, and I feel sorry for them. It’s a trivial matter to fake the ‘from’ address on an email, anyone can do it. Fortunately, they’ve now deleted the ‘accounts’ email alias on their domain, so anything claiming to be from that address is invalid.
It’s also a trivial matter to block emails claiming to be from ‘email@example.com’. I use Postfix as my mail relay software, and have added the following line to a ‘sender_access’ DB file which blocks email matching certain conditions.
firstname.lastname@example.org REJECT May your shit come to life and kiss you
As the SMTP 550 response says ‘May your shit come to life and kiss you’ (quoting the awesomeness of Frank Zappa).