![Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]](images/ssff/ofp_banner_ssff.jpg)
Malware Email Example #007 (Postcard from Family Member)
Please be sure to read my Malware Home Page
NOTE: This page Under Construction/Conversion
This page has not been completely converted to OFPv2 Standards.
When this is completed, this paragraph will go away.
Meanwhile, all external links on this page open a new window.
Things I Did, Below
I, personally, receive email in HTML format. The following was received (and looked) like I received it.
- I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
- All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
- Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
- All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)
Malware Email Example 007a
Received 03/08/2007
Subject: You've received a greeting from a family member!
You can pick up your postcard at the following web address:
http://www2. postcards.org/?d21-sea-sunset
If you can't click on the web address above, you can also
visit 1001 Postcards at
http://www.postcards.org/postcards/
and enter your pickup code, which is: d21-sea-sunset
[<== doesn't work]
(Your postcard will be available for 60 days.)
Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www2. postcards.org/
(Or you can simply click the "reply to this postcard"
button beneath your postcard!)
We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!
Regards,
1001 Postcards
http://www.postcards.org/postcards/
[I left names, email addresses, and phone numbers (except my sister's) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 007a Headers
03/08/2007
X-SID-PRA: postcards1001 <postcards @ postcards1001.com>
X-Message-Info: txF49lGdW42OD/V907VhNpcudEf73X1cWuAp20ClX2g=
Received: from mail.sivcovich.com ([68.143.60.154]) by bay0-mc7-f22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Thu, 8 Mar 2007 08:44:08 -0800
Received: from User ([81.181.16.151]) by mail.sivcovich.com with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 8 Mar 2007 10:43:37 -0600
Reply-To: <abc_00_br @ yahoo.com>
From: "postcards1001"<postcards @ postcards1001.com>
Subject: You've received a greeting from a family member!
Date: Thu, 8 Mar 2007 18:43:37 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: postcards @ postcards1001.com
Message-ID: <FS17bieLYCT4aJ6pkNz00000307 @ mail.sivcovich .com>
X-OriginalArrivalTime: 08 Mar 2007 16:43:37.0989 (UTC) FILETIME=[EBAB6B50:01C761A0]
Malware Email Example 007b
Received 03/13/2007
You have just received a virtual postcard from a family member!
[Everything else was the same as in Example 007a]
[I left names, email addresses, and phone numbers (except my sister's) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 007b Headers
03/13/2007
X-SID-PRA: postcards1001 <postcards @ postcards1001.com>
X-Message-Info: txF49lGdW40oaLtnnwuFH8isfpMMSlBE8w62K2Yn1LWeSXlZM5kymgaWpQiFWBHk
Received: from mx1.fidelityaccess.net ([66.94.70.211]) by bay0-mc5-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Tue, 13 Mar 2007 05:37:48 -0700
Received: from localhost (localhost [127.0.0.1])
by mx1.fidelityaccess.net (Postfix) with ESMTP id BDAAB1AA3AF;
Tue, 13 Mar 2007 07:35:41 -0500 (EST)
Received: from mx1.fidelityaccess.net ([66.94.70.211])
by localhost (mx1.fidelityaccess.net [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id 20930-05; Tue, 13 Mar 2007 07:35:41 -0500 (EST)
Received: from mail.peasecpa.com (mail.peasecpa.com [66.94.92.163])
by mx1.fidelityaccess.net (Postfix) with ESMTP id 431E41A8B85;
Tue, 13 Mar 2007 07:35:41 -0500 (EST)
Received: from User ([81.181.16.151]) by mail.peasecpa.com with Microsoft SMTPSVC(6.0.3790.1830);
Tue, 13 Mar 2007 08:38:13 -0400
Reply-To: <abc_00_br @ yahoo.com>
From: "postcards1001" <postcards @ postcards1001.com>
Subject: postcards
Date: Tue, 13 Mar 2007 14:35:35 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <MAIL-SVRTivbmaxhQYA0000168d @ mail.peasecpa.com>
X-OriginalArrivalTime: 13 Mar 2007 12:38:14.0031 (UTC) FILETIME=[779279F0:01C7656C]
To: undisclosed-recipients: ;
Return-Path: postcards @ postcards1001.com
Malware Email Example 007c
Received 03/15/2007
You have just received a virtual postcard from a family member!
[Everything else was the same as in Example 007a]
[I left names, email addresses, and phone numbers (except my sister's) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 007c Headers
03/15/2007
X-SID-PRA: postcards1001 <postcards @ postcards1001.com>
X-Message-Info: txF49lGdW42uAtqv4eOPmFEbSCC7jQFe0nuKpFJxynLkdloBhoR7pjyS2t96t6FI
Received: from businessaircraftgroup.com ([66.94.84.228]) by bay0-mc6-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Thu, 15 Mar 2007 14:31:08 -0700
Received: from User ([81.181.16.151]) by businessaircraftgroup.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 15 Mar 2007 17:32:47 -0400
Reply-To: <abc_00_br @ yahoo.com>
From: "postcards1001"<postcards @ postcards1001.com>
Subject: You have just received a virtual postcard from a family member!
Date: Thu, 15 Mar 2007 23:31:09 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: postcards @ postcards1001.com
Message-ID: <BAG1drTgwymWZRdmhfU00000cb4 @ businessaircraftgroup.com>
X-OriginalArrivalTime: 15 Mar 2007 21:32:48.0093 (UTC) FILETIME=[7A0770D0:01C76749]
Notes
I clicked the link in the first one I received, though I was suspicious of the email. Why was I suspicious?
- No "family member" name or email address is given anywhere. Any e-card company I have seen/used asks from whom the card is being sent, their email address, to whom it's to go, and their email address at the bare minimum. If it's sending through a mailto: link, the sender's email address is in the FROM:, not the company's.
- The "TO:" address is blank (leading me to believe it was a mass-mailing to a BCC'd (Blind Carbon-Copy) list.
- The links in the email didn't match.
Even so, I thought it possible that a friend had found another free-ecard company. When I clicked the first link, it attempted to download a .EXE file.
- For a "postcard company" not to bring someone to their site so they can see what's offered seems very wrong. Most sites out there live and die by "hits" - the number of people who visit the site, and "page visits/views" - the number of pages each new visitor views.
- A .EXE file is an executable program or a
self-extracting zip-file. The problem is, you don't know
until you click it.
- If it's a program, what does it do? It can do all kinds of nasty things to your computer, from simply deleting files (You DO have backups, don't you?) to appearing to do nothing, but in reality, loading a virus/Trojan Horse/spyware/adware/etc. to running an innocuous program that simply shows a card.
- If its a self-extracting zip, why would a POSTcard need to do such? JPGS and many other single images are pretty much compressed as they can be. It did NOT say it was a Powerpoint Presentation (slideshow, etc.) or any other such "show".
As is stated on this site and many others "If you don't know the person from whom you've received an email, DO NOT OPEN ANY ATTACHMENTS." and be VERY careful if you DO know from whom it came. (THEY could have a virus sending itself around.)
Rather than risk it (new viruses appear every day, you know... My AntiVirus might have caught it, but...), I cancelled, rather than open or save it, and did a quick Google search on "postcards1001". The first link found was You've Received A Greeting Card From A Family Member Hoax.
Some of the others found:
- Temple Times - Fake e-mail from postcards1001.com (3rd Article)
- Warning! Malicious Criminal Virus Planter Misusing this NG. - WiFi-Forum
- You've received a greeting from a family member!(Virus) >> [post 1100]
- Viruses Archive : OIT Help Desk : Indiana State University
- Computer Virus alerts! - OFN Community Home2
So, I created this page to warn others.
BTW: From the 007a email headers:
- Note the difference between the link to where you are supposed to "pick up" your postcard, and the link to the for 1001 Postcards (www2 vs www). I don't even want to visit the www2.postcards site, and neither should you.
- postcards.org is located in Sherman Oaks, CA, and, I believe this email is a spoof of one of their emails. (Postcards.org appears to be a legitimate site.)
- postcards1001.com is controlled by BelgiumDomains - ICANN Accredited Registrar, and again, I believe this was spoofed.
- sivcovich.com is owned by a CPA in Fenton, MO. This may be where a virus exists, sending these emails out, though I know of no one named sivcovich, especially at the email address to which this one came. [Update 03/16/2007 - Now that I've received versions b & c, I doubt that this is where the virus is. (See paragraph at the end.)]
- 81.181.16.151 is from Galait, Romania. and, according to RIPE WhoIs, is owned by Genius Network System SRL. This, I believe, is where the email came from.
Notice that b & c came from what appears to be the same user (81.181.16.151) as the first (a) version, but through different servers or web locations (mail.peasecpa.com - an accounting (CPA) group in Cleveland, OH and businessaircraftgroup.com - a charter aviation group in Cleveland, OH). Now that I've received these, I believe these email addresses were harvested and spoofed to send the email, as was sivcovich.com's, though it's possible they are being sent through them.
Send comments/questions about this page to Bill Sanders at:
Go to Malware
(Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Go to NEXT Malware Example Page (last in sequence is not a link)
Send email to Bill Sanders
()
with questions or comments about this page or site.
This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the:
CSS and
HTML 4.01
validators from W3C.
NOTE: All CSS validates except the "New Window Buttons"
which include some invalid code (ie: hacks),
added PicoSearch Tables,
and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is
prohibited without express written consent from William D.
Sanders.
