Postini Spam with Malware – Reset your “domain.com” password

We have started to see a wave of spam emails coming in to some of our Postini customers. This email has a customized subject with a claim that you need to reset your password. The link appears to be to your own domain, but in fact it goes to a site that attempts to install malware on your computer. We are working with Postini to update their filters to block this. You can build a content filter that you can apply to your settings to block any future emails that fit this specific signature.

Postini Content Filter

  1. Login to your Postini Administrative Console
  2. Access the User Org
  3. Access Content Manager
  4. Create new custom rule with these parameters
    Match: Any Rule
    Subject Line – Contains Text: Please confirm your email to
    Entire Message – Contains Text: http://equitativo.com.ar
    Entire Message – Contains Text: CONFIRM REQUEST AND RESET PASSWORD
    Routing: Delete (Blackhole)
    Copy to Quarantine: Add Quarantine Address: Recipient

  5. Hit Save and this filter will be applied. We chose to send it to the Quarantine in case this filter catches any false positives.

MxToolbox has partnered with WebRoot to offer Web Filtering to protect your network from attacks through the web browser. For more details on the protection that this program can offer, go here.


Example of the SPAM email 1:

From: ‘domain.com‘ [mailto:supportdomain.com]
Sent: Tuesday, June 29, 2010 11:30 AM
To: Jim Gonzo

Subject: Reset your ‘domain.com‘ password


Hello, jgonzo@domain.com.

We received your request to reset your growth-capital.com password. To confirm your request and reset your password, follow the instructions below. Confirming your request helps prevent unauthorized access to your account.

If you didn’t request that your password be reset, please follow the instructions below to cancel your request.

CONFIRM REQUEST AND RESET PASSWORD
Click on the following web address:
https://domain.com/EmailPage.srf?emailid=mail/?shva=1#inbox...

CANCEL PASSWORD RESET
Click on the following web address:
https://domain.com/EmailPage.srf?emailid=mail/?shva=1#inbox...

Thank you,
domain.com

NOTE: Please do not reply to this message, which was sent from an unmonitored e-mail address. Mail sent to this address cannot be answered.

Example of the SPAM email 2:

From: ‘domain.com‘ [mailto:supportdomain.com]
Sent: Tuesday, June 29, 2010 11:30 AM
To: Jim Gonzo

Subject: Please confirm your email to

New secret questions were added to your domain.com account.

To ensure that your account information remains accurate and secure we
notify you whenever this information changes.

This change request was made on Mon, 28 Jun 2010 16:53:43 -0600

If the changes described above are accurate, no further action is
needed. If anything doesn’t look right, follow the link below to make changes:

http://standhostesi.org/index2.html“>https://edit.domain.com/ forgot?stage=fe100&src=&intl=us&done=&partner

Regards,
domain.com Account Services

Please do not reply to this message. Mail sent to this address cannot be answered.

Example of the SPAM email 3:

From: ‘domain.com‘ [mailto:supportdomain.com]
Sent: Tuesday, June 29, 2010 11:30 AM
To: Jim Gonzo

Subject: UPS INVOICE NR4929910.


2 thoughts on “Postini Spam with Malware – Reset your “domain.com” password

  1. Pingback: Tweets that mention Postini Spam with Malware – Reset your “domain.com” password « MxToolBox Blog -- Topsy.com

  2. Tom Harney

    All of my client’s using Postini recieved this message yesterday between 11:15am and 12:15pm EST.

    Very helpful post, thank you.

    Reply

Leave a Reply