The Latest in IT Security

“New message received” spam / and


This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday.

Date:      Sat, 22 Dec 2012 16:55:38 +0300
From:      “Secure.Message” [[email protected]]
Subject:      New message received

Click here to view the online version.

Hello [redacted],

You have 5 new messages.

Read now
� Copyright 2012 SecurePrivateMessage. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.


If you require Technical Support, please check Support Center for information.

Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick][emailaddress]&id=[redacted]  with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick] which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick] is hosted on, and on Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:

inetnum: –
netname:        CUST339-170918-147
descr:          Customer ip range
remarks:        Please send email to “[email protected]” for complaints
remarks:        regarding portscans, DoS attacks and spam.
country:        NL
admin-c:        CUST339
tech-c:         CUST339
status:         ASSIGNED PA
mnt-by:         serverius-mnt
source:         RIPE # Filtered

person:         Customer No339
remarks:        This IP space is used by a Serverius datacenter customer.
phone:          +31 (0)88 73 78 374
nic-hdl:        CUST339
mnt-by:         SERVERIUS-mnt
source:         RIPE # Filtered

descr:          Serverius Route Object
origin:         AS50673
mnt-by:         SERVERIUS-MNT
source:         RIPE # Filtered

The block seems to have been suballocated to an unidentified customer of Serverius who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.

There are lots of other suspect domains on these two IPs as well:

Leave a reply


MONDAY, MARCH 19, 2018



Latest Comments

Social Networks