United Parcel Service notification

VERY IMPORTANT INFORMATION, READ THIS FIRST: The example and associated information published on this page are subject to the SHPAMEE Terms Of Use. Please familiarise yourself with these terms before viewing or using any information on this page.

Header:

From - Wed Jun 1 23:25:30 2011
X-Account-Key: account8
X-UIDL: x
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
X-Apparently-To: x via 217.146.182.121; Sun, 08 May 2011 06:29:45 +0000
X-YahooFilteredBulk: 200.88.20.80
Received-SPF: none (mta1035.mail.ird.yahoo.com: domain of adminyhqau@ups.com does not designate permitted sender hosts)
X-YMailISG: x
X-Originating-IP: [200.88.20.80]
Authentication-Results: mta1035.mail.ird.yahoo.com from=ups.com; domainkeys=neutral (no sig); from=ups.com;
dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO ups.com) (200.88.20.80)
by mta1035.mail.ird.yahoo.com with SMTP; Sun, 08 May 2011 06:29:45 +0000
Received: from group21.345mail.com [160.43.215.1] by smtp4.cyberemailings.com with LOCAL; Sun, 08 May 2011 07:26:50
+0100
Received: from [175.50.124.10] by mxs.perenter.com with LOCAL; Sun, 08 May 2011 07:10:45 +0100
Received: from mts.locks.grgtween.net [164.174.181.33] by mmx09.tilkbans.com with QMQP; Sun, 08 May 2011 06:56:57 +0100
Received: from relay.2yahoo.com [67.111.202.228] by snmp.otwaloow.com with LOCAL; Sun, 08 May 2011 06:45:18 +0100
Message-ID: <x@ups.com>
Date: Sun, 08 May 2011 06:45:18 +0100
Reply-To: "UPS" <adminyhqau@ups.com>
From: "UPS" <adminyhqau@ups.com>
User-Agent: Mozilla 4.78 [en] (Win98; U)
X-Accept-Language: en-us
MIME-Version: 1.0
To: x
Cc: <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>,
        <x>
Subject: United Parcel Service notification
Content-Type: multipart/mixed;
        boundary="------------003007484642740687828615"

Body:

May 2011

UPS Express Delivery
tracking number # 7428528

Good morning
Parcel notification

The parcel was sent your home adress.
And it will arrive within 5 buisness days.

More information and the parcel tracking number are attached in document below.

Thank you

Comments:

The IP address 200.88.20.80 does not resolve to ups.com, so it is clear that the header is heavily forged and the From e-mail address is obviously a spoofed e-mail address. After all, adminyhqau@ups.com does not appear to be a valid ups.com e-mail address anyway.

The e-mail refers to an attachment named 'document.zip'. This zip file contains an executable file (document.exe) infected with a Trojan Downloader, classified as Trojan-Downloader.Win32.Deliver.m. So opening this file will NOT give you the promised tracking number, but a Trojan Downloader, that steals confidential user information, instead.

Take note of the formatting applied to some of the letters (bold, italics, strikethrough and even varying text colours). We believe this is likely done to bypass the spam filters, by breaking up common spam trigger words, using normal HTML markup.

These e-mails are quite common these days and each one we've analysed so far has the same M.O. namely a notification that a parcel was sent to your home address. To obtain the tracking number you need to open an attachment that's infected with some form of malicious software. We believe that the success rate of these malware spam e-mails are quite high, otherwise the malware spammers would have changed their tactics by now.

To prevent infection from e-mails like these, stick to this simple rule of thumb, never open executable files (files with an '.exe' extension) sent to you via e-mail (unless you of course explicitly requested a specific executable file from a trustworthy source). Remember, with an e-mail like this, there is no need to embed or hide the tracking number in an attachment. The courier can include the tracking number in the body of the e-mail.

[Previous Example] [Back To The Main SHPAMEE Index] [Next Example]