All the Perl that's Practical to Extract and Report

5iantlavalamp.com ?

Purdy on 2004-09-14T21:17:30

I have this rule in my postfix configuration to block out .com attachments:

/name=[^>]*\.(ade|adp|asd|bas|bat|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|inf|in s|isp|lnk|js|jse|lnk|ocx|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pi|pif|prf|reg| scf|scr|sct|shb|shm|shs|swf|uue|vb|vbe|vbs|vbx|vxd|wab|wsc|wsf|wsh)/ REJECT Potentially dangerous file attachment. Please do not include any executable attachments in your email.
So what's interesting is that some people are complaining b/c they're sending us e-mail and the server is rejecting it:
Sep 14 14:13:00 mail postfix/cleanup[24893]: D6354198047: reject: body name=3D"place" downloadurl=3D"(Link: http://www.5iantlavalamp.com/)http://www.5iantlavalamp.com/"/>; from=<someemail@domain.com> to=<someemail@domain.com>: Potentially dangerous file attachment. Please do not include any executable attachments in your email.
It kinda stuck out at me b/c this was the 2nd time I saw that 5iantlavalamp.com domain, so it piqued my interest. A WHOIS reported it was owned by Microsoft! I go to the Web site and it redirects me to some Office site. So I'm guessing that some new version of Outlook has that stuff embedded in the e-mail message and other Outlooks know about it and will do something (spiffy ;)) w/ that. I'm sure there's no security vulnerabilities, there. ;)

I could refine that rule a bit (not sure how at the moment), but I'll wait & see if it becomes a big problem.

Peace,

Jason

check it out

phillup on 2004-09-14T23:03:51

You may find the google cache of the page interesting.

So I'm guessing that some new version of Outlook has that stuff embedded in the e-mail message and other Outlooks know about it and will do something (spiffy ;)) w/ that.
Q:  What measures did you do to research how it was being created?
A:  My company started blocking this particular domain because it looked like another Spam referenced domain name.  We had no idea that it was being imbedded within our own outgoing emails until we started blocking the domain name.  All of a sudden, we were blocking hundreds of reply messages.  We quickly removed it from our Spam filter and started researching where the domain originated.  We couldn't find anything about it on the Internet and suspected that it may be some sort of virus.  We quickly ruled out any virus posibility and started looking further into what was actually causing it to appear.  After hours of research, we found it to be generated from users that have the option set in Outlook to use Microsoft Word as their email editor along with smart tag options turned on in Microsoft Word.  It's a combination of options within Office and not easily duplicated but I was successful in getting my computer to do it.