[Snort-users] Fwd:

waldo kitty wkitty42 at ...14940...
Tue Jan 29 16:10:34 EST 2013


On 1/29/2013 15:02, Jeff Jarmoc wrote:
> Obfuscated redirect to hxxp://www.news.com.december.bestdrops.2012.fxsprime<dot>com

yeah, i don't know what they are doing, either, but i've seen quite a few of 
these types of postings... they are easily recognized by their subject line 
containing only "Fwd:" and nothing else...

i'm suspecting that they might be looking for specific connections to facilitate 
infectious processes... "they" are getting smarter and narrowing their targets 
which also assists them in avoiding researchers from determining what they are 
doing and how they are doing it :?

> That site in turn gives a 302 to pinterest.  Weird that it doesn't seem to do
> anything; maybe it's fingerprinting browsers?
>
> HTTP/1.1 302 Moved Temporarily
> Server: nginx/1.2.6
> Date: Tue, 29 Jan 2013 20:00:11 GMT
> Content-Type: text/html
> Content-Length: 160
> Connection: keep-alive
> Location: hxxp://www.pinterest.com/ <http://www.pinterest.com/>
> P3P: CP="CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE"
>
>
> On Tue, Jan 29, 2013 at 1:51 PM, Brad Turnbough <brad.turnbough at ...11827...
> <mailto:brad.turnbough at ...11827...>> wrote:
>
>     hxxp://www.ceccarinisrl.com/h7x1u4.php <http://www.ceccarinisrl.com/h7x1u4.php>
>






More information about the Snort-users mailing list