United Parcel Service notification
[Previous Example] [Share This Page] [Back To The Main SHPAMEE Index] [Next Example]
VERY IMPORTANT INFORMATION, READ THIS FIRST: The example and associated information published on this page are subject to the SHPAMEE Terms Of Use. Please familiarise yourself with these terms before viewing or using any information on this page.
Header:
From - Wed Jun 1 23:25:30 2011
X-Account-Key: account8
X-UIDL: x
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
X-Apparently-To: x via 217.146.182.121; Sun, 08 May 2011 06:29:45 +0000
X-YahooFilteredBulk: 200.88.20.80
Received-SPF: none (mta1035.mail.ird.yahoo.com: domain of adminyhqau@ups.com does not designate permitted sender hosts)
X-YMailISG: x
X-Originating-IP: [200.88.20.80]
Authentication-Results: mta1035.mail.ird.yahoo.com from=ups.com; domainkeys=neutral (no sig); from=ups.com;
dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO ups.com) (200.88.20.80)
by mta1035.mail.ird.yahoo.com with SMTP; Sun, 08 May 2011 06:29:45 +0000
Received: from group21.345mail.com [160.43.215.1] by smtp4.cyberemailings.com with LOCAL; Sun, 08 May 2011 07:26:50
+0100
Received: from [175.50.124.10] by mxs.perenter.com with LOCAL; Sun, 08 May 2011 07:10:45 +0100
Received: from mts.locks.grgtween.net [164.174.181.33] by mmx09.tilkbans.com with QMQP; Sun, 08 May 2011 06:56:57 +0100
Received: from relay.2yahoo.com [67.111.202.228] by snmp.otwaloow.com with LOCAL; Sun, 08 May 2011 06:45:18 +0100
Message-ID: <x@ups.com>
Date: Sun, 08 May 2011 06:45:18 +0100
Reply-To: "UPS" <adminyhqau@ups.com>
From: "UPS" <adminyhqau@ups.com>
User-Agent: Mozilla 4.78 [en] (Win98; U)
X-Accept-Language: en-us
MIME-Version: 1.0
To: x
Cc: <x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>
Subject: United Parcel Service notification
Content-Type: multipart/mixed;
boundary="------------003007484642740687828615"
X-Account-Key: account8
X-UIDL: x
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
X-Apparently-To: x via 217.146.182.121; Sun, 08 May 2011 06:29:45 +0000
X-YahooFilteredBulk: 200.88.20.80
Received-SPF: none (mta1035.mail.ird.yahoo.com: domain of adminyhqau@ups.com does not designate permitted sender hosts)
X-YMailISG: x
X-Originating-IP: [200.88.20.80]
Authentication-Results: mta1035.mail.ird.yahoo.com from=ups.com; domainkeys=neutral (no sig); from=ups.com;
dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO ups.com) (200.88.20.80)
by mta1035.mail.ird.yahoo.com with SMTP; Sun, 08 May 2011 06:29:45 +0000
Received: from group21.345mail.com [160.43.215.1] by smtp4.cyberemailings.com with LOCAL; Sun, 08 May 2011 07:26:50
+0100
Received: from [175.50.124.10] by mxs.perenter.com with LOCAL; Sun, 08 May 2011 07:10:45 +0100
Received: from mts.locks.grgtween.net [164.174.181.33] by mmx09.tilkbans.com with QMQP; Sun, 08 May 2011 06:56:57 +0100
Received: from relay.2yahoo.com [67.111.202.228] by snmp.otwaloow.com with LOCAL; Sun, 08 May 2011 06:45:18 +0100
Message-ID: <x@ups.com>
Date: Sun, 08 May 2011 06:45:18 +0100
Reply-To: "UPS" <adminyhqau@ups.com>
From: "UPS" <adminyhqau@ups.com>
User-Agent: Mozilla 4.78 [en] (Win98; U)
X-Accept-Language: en-us
MIME-Version: 1.0
To: x
Cc: <x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>,
<x>
Subject: United Parcel Service notification
Content-Type: multipart/mixed;
boundary="------------003007484642740687828615"
Body:
|
May 2011
tracking number # 7428528
Good morning
| Parcel notification The parcel was sent your home adress. And it will arrive within 5 buisness d M
UPS Express Delivery system (c)
| Copyright © 1994-2011 United Parcel Service of America, Inc. All rights reserved! |
Comments:
Related Cyber Criminal Profiles:
No related profiles found.Similar Spam Examples:
Parcel Delivery Malware Spam - DHL delivery failure reportParcel Delivery Malware Spam - FedEx Delivery Problem No 7189
University Degree Scam - Bay your Professional and Doctoral diploma today
Parcel Delivery Malware Spam - UPS Shipping service report Q76WQCOQBV
Malware Spam - UPS Delivery Notification Tracking Number:APHQUV26F29IG4UFOZ
Related Malware Samples:
UPS document.exe - Trojan.horse.Dropper.Generic7.ASRdocument.exe - Trojan.horse.Cryptic.CUR
document.exe - Trojan.horse.Cryptic.CRY
IRS document.exe - Trojan.horse.Generic23.QUD
United Parcel Service document.exe - Trojan.horse.Generic3_c.BKKC
FedEx Document.exe - Win32.DH.FF8200FE.O1BPFVEcUzQKICVXTg
FedEx document.exe - Win32.DH.FF83001A.MztQTxVRHFM0CiAlV04
DHL Document.exe - Luhe.Fiha.A
[Previous Example] [Share This Page] [Back To The Main SHPAMEE Index] [Next Example]
The e-mail refers to an attachment named 'document.zip'. This zip file contains an executable file (document.exe) infected with a Trojan Downloader, classified as Trojan-Downloader.Win32.Deliver.m. So opening this file will NOT give you the promised tracking number, but a Trojan Downloader, that steals confidential user information, instead.
Take note of the formatting applied to some of the letters (bold, italics, strikethrough and even varying text colours). We believe this is likely done to bypass the spam filters, by breaking up common spam trigger words, using normal HTML markup.
These e-mails are quite common these days and each one we've analysed so far has the same M.O. namely a notification that a parcel was sent to your home address. To obtain the tracking number you need to open an attachment that's infected with some form of malicious software. We believe that the success rate of these malware spam e-mails are quite high, otherwise the malware spammers would have changed their tactics by now.
To prevent infection from e-mails like these, stick to this simple rule of thumb, never open executable files (files with an '.exe' extension) sent to you via e-mail (unless you of course explicitly requested a specific executable file from a trustworthy source). Remember, with an e-mail like this, there is no need to embed or hide the tracking number in an attachment. The courier can include the tracking number in the body of the e-mail.