Keystroke logger being installed from a link in an email (Subject: Police Investigation )

Julian Field mailscanner at
Fri Feb 20 08:25:48 GMT 2004

This is apparently quite an old one. There is a good report from AusCERT here:

Sophos, for example, has detected it since May 2003.

At 22:27 19/02/2004, you wrote:
>We have received copies of a malicious email, with the subject "Police
>It looks like an innocent spam email.  There are no attachments, just text
>and some obfuscated links to websites (discussed on this list before).  If
>you go to them (I don't recommend it) you will see a "SERVER ERROR 550"
>message, and you might think that the website is down.  What actually
>happens is the error message is from the website, and they use an exploit
>in Internet Explorer to install a keystroke logger on your PC.  This
>information is then mailed to an email address pentasatan at with the
>trojan using its own inbuilt SMTP engine to do so.  Hopefully your
>firewall blocks any internal host trying to use port 25 (smtp) except for
>your email server.
>Information about this expoit can be found here.
>What is the best way to block an exploit like this?
>Create a custom Spamassassin rule?
>Feed it to Bayes a bunch of times as SPAM?
>Use MCP?
>Tristan Rhodes

Julian Field
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list