[Tracker-discuss] [issue505] Abuse Message
Izak Burger
metatracker at psf.upfronthosting.co.za
Wed Jan 23 11:28:48 CET 2013
New submission from Izak Burger:
Hi all,
I received this abuse report from Hetzner. Basically someone used a
file attached on an issue to bounce people to a spam site for
buying... medication.
I've cleared out the contents of the file so that this will no longer
happen. The original file is in the roundup user's home directory,
file 291, in case anyone wants to see what was done, but it appears to
be a javascript attack. It seems that by adding "doc7.html" to the url
it has somehow tricked the tracker into serving the content with a
content type of html, which causes the browser to execute the
javascript, instead of displaying plain text as it should.
----- attachment -----
Return-path: <spamlinks at spamlinks.blocklist.de>
Envelope-to: abuse at hetzner.de
Delivery-date: Fri, 18 Jan 2013 18:11:51 +0100
Received: from [46.252.24.141] (helo=j15757.servers.jiffybox.net)
by lms.your-server.de with esmtp (Exim 4.74)
(envelope-from <spamlinks at spamlinks.blocklist.de>)
id 1TwFTr-0005pn-0y
for abuse at hetzner.de; Fri, 18 Jan 2013 18:11:51 +0100
Received: by j15757.servers.jiffybox.net (Postfix, from userid 0)
id B43322375; Fri, 18 Jan 2013 18:24:01 +0100 (CET)
To: abuse at hetzner.de
Subject: [NOREPLY][Blocklist-9095] Spam-Link at your service
X-PHP-Originating-Script: 0:reporting.php
From: Abuse-Team Blocklist.de <spamlinks at spamlinks.blocklist.de>
Reply-To: spamlinks at spamlinks.blocklist.de
X-Mailer: antiabusemailer
X-Arf: yes
X-Report-ID: 9095
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="81fd830c85363675edb98d2879916d8c"; charset=iso-8859-1
Message-Id: <20130118172401.B43322375 at j15757.servers.jiffybox.net>
Date: Fri, 18 Jan 2013 18:24:01 +0100 (CET)
X-Virus-Scanned: Clear (ClamAV 0.97.5/16520/Fri Jan 18 16:15:26 2013)
X-Spam-Score: 1.3 (+)
Delivered-To: he1-abuse at hetzner.de
--81fd830c85363675edb98d2879916d8c
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=utf-8
Hello Abuse-Team,
your server with the IP: 46.4.197.70 is currently hosting a possible scam-site.
This site has reached an Blocklist-Spamscore of 3600. The concerning
site is following site:
http://psf.upfronthosting.co.za/roundup/meta/file291/doc7.html
Please check this site and do a cleanup if necessary. To resolve this
case, please visit
http://spamlinks.blocklist.de/resolve.php?case=190640713c8ae5259fc9ef68229059b026eda118bd5a083b0d27d1a4
You also can parse this mail with X-ARF tools that can be found at
http://www.x-arf.org/specification.html .
We found your address in the abusix abuse contact database at
http://abusix.com/global-reporting/abuse-contact-db . If this contact
is wrong, please inform info at abusix.com about this.
Please do NOT reply at this email, use the contact form instead.
Regards,
Abuse-Team blocklist.de
http://www.blocklist.de/en/
--81fd830c85363675edb98d2879916d8c
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=utf-8; name="report.txt";
---
Reported-From: spamlinks at spamlinks.blocklist.de
Category: fraud
Report-Type: scam
Service: http
Version: 0.1
User-Agent: V.A.L.O.R. 1.0
Date: Fri, 18 Jan 2013 18:24:01 +0100
Source-Type: uri
Source: http://psf.upfronthosting.co.za/roundup/meta/file291/doc7.html
Domain: psf.upfronthosting.co.za
Port: 80
Report-ID: 9095 at spamlinks.blocklist.de
Schema-URL: http://www.x-arf.org/schema/fraud_0.1.3.json
Attachment: none
--81fd830c85363675edb98d2879916d8c
----------
messages: 2699
nosy: izak
status: unread
title: Abuse Message
_______________________________________________________
PSF Meta Tracker <metatracker at psf.upfronthosting.co.za>
<http://psf.upfronthosting.co.za/roundup/meta/issue505>
_______________________________________________________
More information about the Tracker-discuss
mailing list