Yesterday, I received a few interesting emails in myhoneypot. I set up catch-all email addresses for domains that are well known by spammers. Im capturing emails and extracting MIME attachments for further analysis. Today, my honeypot received three ICS files. iCalendar[1]is a file format used to exchange meetinginformation between users, mainly via email or a file sharing system. Such files use the extension .ics"> Oct 18 11:27:07 marge postfix/cleanup[9842]: 444817C2519: warning: header From: OFICE FILE \ from=xxxx to=xxxx proto=ESMTP helo=xxxx

The ICS file attached to the mail had a valid formatbut with some interesting characteristics. First, it was a cancellation">METHOD:CANCEL

Then, many recipients (approximately 50) were added as requiredRSVP=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]" />

You can see that all the participants are listed. Depending on the way the user will cancel or reply to the mail, a notification could be sent to all the attendees, propagating the spam. Note that the mail was sent approximately 30 minutes (11:27 GMT+2) before the scheduled time in the meeting request (12:00 - 13:00 GMT+2).

The message in itself does not contain malicious content (an ICS file contains only text) but your mail server could be used to spread the message to other attendees and affect its reputation in anti-spam lists. The meeting details could also contain a link to a malicious website.

Did you also seesuch emails or do you have more information? Feel free to share!

[1] http://icalendar.org/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(credit: Gage Skidmore)

Hillary Clinton isn't the only one who may have had an e-mail security problem. A security researcher has discovered that the Trump Organization's mail servers all run on a version of Microsoft Windows Server that has been out of support for years, with minimal user security. The e-mail servers for Trump's hotels, golf courses and other businesses run on an unpatched version of Windows Server 2003 with Internet Information Server 6—making them a vulnerable target for anyone who might want to gain access to the organization's e-mails.

Security researcher Kevin Beaumont posted the finding on Twitter at 6:00pm on Monday:

Quick update on Trump corp email servers - all internet accessible, single factor auth, no MDM, Win2003, no security patching. pic.twitter.com/nIMTa9UmdL

— Kevin Beaumont (@GossiTheDog) October 17, 2016

Beaumont also found the Trump Organization's Web-based e-mail access page. Until this morning, the Trump Organization allowed Outlook Web Access (OWA) logins from webmail.trumporg.com. Beaumont said he did not attempt to log into the e-mail system.

Read 3 remaining paragraphs | Comments