Warning: "Aunt Edna" email from postcards.org
13th January 2005
Note: these email messages are not being sent
out by postcards.org.
A number of email messages are circulating, claiming
to be from postcards.org carrying a message from "Aunt
Edna". These appear to be sent to addresses that
commonly receive spam, indicating that perhaps the senders
are using spam lists.
The format of the message varies slightly, but it
appears to be similar to the following:
You have just received a virtual postcard from Aunt Edna!
You can pick up your postcard at the following web address:
If you can't click on the web address above, you can also
visit 1001 Postcards at http://www.postcards.org/postcards/
and enter your pickup code, which is: 35-dodge-treads-aunt
(Your postcard will be available for 60 days.)
We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!
P.S. If you're happy with our service, let us know by
making a donation to help us pay our server hosting costs!
Please visit our donation page at Amazon.com!
Introducing the 1001 Postcards weekly newsletter!
Click here to subscribe for free to 'Greetings from Marty & Alice':
The mail uses a trick similar to many phishing emails,
in that the displayed link of http://www.postcards.org/?35-dodge-treads-aunt
is actually is disguised link to another server or PC,
possibly belonging to an innocent third party. However,
the page consists of several exploits that affects Internet
Explorer, during tests our anti-virus software stopped
this. Mozilla/Firefox will also load the exploit code,
although it is not know if those browser are vulnerable. This
appears to download a variant of the CoolWebSearch
trojan, which is a particulary unpleasant application.
In this case the IP address of the server is 184.108.40.206,
port 8180 and the target directory is called /009/ (I
deliberately haven't made this a simple URL as it is
still valid at the time of publication). In this case
the email originated from 220.127.116.11 in Poland.
Note that the "dodge-treads-aunt"
text seems to be common across different variants
of the email, although the prefix number varies. In
any case, the displayed URL is completely bogus and
could read anything at all.
If you have clicked on this email we recommend that
you try Microsoft
Anti-Spyware or CWShredder
to disinfect your system, plus a run through with your
favorite anti-virus software. Note that Firefox
should be less vulnerable to this kind of exploit. We
were also using the full version of Eudora
6.2 which has built-in anti-phishing protection
to help protect against bogus emails of this type.
If we find more information we will post it here.