Yesterday, I received a few interesting emails in myhoneypot. I set up catch-all email addresses for domains that are well known by spammers. Im capturing emails and extracting MIME attachments for further analysis. Today, my honeypot received three ICS files. iCalendar[1]is a file format used to exchange meetinginformation between users, mainly via email or a file sharing system. Such files use the extension .ics"> Oct 18 11:27:07 marge postfix/cleanup[9842]: 444817C2519: warning: header From: OFICE FILE \ from=xxxx to=xxxx proto=ESMTP helo=xxxx

The ICS file attached to the mail had a valid formatbut with some interesting characteristics. First, it was a cancellation">METHOD:CANCEL

Then, many recipients (approximately 50) were added as requiredRSVP=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]=TRUE:mailto:[email protected]" />

You can see that all the participants are listed. Depending on the way the user will cancel or reply to the mail, a notification could be sent to all the attendees, propagating the spam. Note that the mail was sent approximately 30 minutes (11:27 GMT+2) before the scheduled time in the meeting request (12:00 - 13:00 GMT+2).

The message in itself does not contain malicious content (an ICS file contains only text) but your mail server could be used to spread the message to other attendees and affect its reputation in anti-spam lists. The meeting details could also contain a link to a malicious website.

Did you also seesuch emails or do you have more information? Feel free to share!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle Fusion Middleware CVE-2016-5531 Remote Security Vulnerability
OpenSSL CVE-2016-7052 Denial of Service Vulnerability
Oracle MySQL Server CVE-2015-2568 Remote Security Vulnerability
OpenSSL CVE-2016-6305 Denial of Service Vulnerability
OpenSSL CVE-2016-6302 Denial of Service Vulnerability
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3695-1] quagga security update
Mozilla Network Security Services CVE-2016-1950 Heap Buffer Overflow Vulnerability
Bouncy Castle CVE-2015-7940 Information Disclosure Vulnerability
Multiple Oracle Products CVE-2016-0635 Remote Security Vulnerability
Wind River VxWorks CVE-2015-3963 Predictable TCP Initial Sequence Security Bypass Vulnerability
B21Soft BASP21 BSMTP.DLL CRLF Injection Vulnerability
Multiple Vendor TCP Initial Sequence Number Statistical Vulnerability
Spring Framework CVE-2013-7315 Denial-Of-Service Vulnerability
[SECURITY] [DSA 3694-1] tor security update

(credit: Gage Skidmore)

Hillary Clinton isn't the only one who may have had an e-mail security problem. A security researcher has discovered that the Trump Organization's mail servers all run on a version of Microsoft Windows Server that has been out of support for years, with minimal user security. The e-mail servers for Trump's hotels, golf courses and other businesses run on an unpatched version of Windows Server 2003 with Internet Information Server 6—making them a vulnerable target for anyone who might want to gain access to the organization's e-mails.

Security researcher Kevin Beaumont posted the finding on Twitter at 6:00pm on Monday:

Beaumont also found the Trump Organization's Web-based e-mail access page. Until this morning, the Trump Organization allowed Outlook Web Access (OWA) logins from Beaumont said he did not attempt to log into the e-mail system.

Read 3 remaining paragraphs | Comments

Internet Storm Center Infocon Status