2
Email format allows URIBL check bypass and is being used in a new Spam campaign
Problem reported by Steve Norton - 12/18/2020 at 10:46 AM
Submitted
The following PowerShell script can be used to demonstrate the bypass, the domain 'percassing.eu' is currently on the URIBL blacklist.

#Start
$RemoteHost = "smtpserver.domain.com"
$Port = "25"
$ToAddress = "test.account@domain.com"

$Commands = "EHLO rzone.de",
"MAIL FROM: <>",
"RCPT TO: $ToAddress",
"DATA",
"Subject:  Prick Your Finger No More!",
"From: `"Sugar Balance`" <C52V362W86.C52V362W86@barraney.eu>",
<#"MIME-Version: 1.0",#>
"To: $ToAddress",
"Content-Transfer-Encoding: 7bit",
"Content-Type: TEXT/HTml; charset=`"UTF-8`"",
"Date: $(Get-Date -Format "ddd, dd MMM yyyy HH':'mm':'ss") +0000",
"Message-ID: <8a2713f560bf46bc879b3f5e9414b5fb@com>",
"
<html> <body> <center>         <A href=`"http://percassing.eu/0mpgc.html?od=1vct5fdb31381da0aojc.2wf4h.Z0000rffjt4c5y2c0_zr883.ffjt4MDEycjUxanNmZW5y0j3dDX`"><FoNT color=red face='Elephant' size='6'>Balance Blood Sugar In Days</FoNT></A><BR>         <A href=`"http://percassing.eu/0mpgc.html?od=1vct5fdb31381da0aojc.2wf4h.Z0000rffjt4c5y2c0_zr883.ffjt4MDEycjUxanNmZW5y0j3dDX`"><IMG src=`"http://percassing.eu/18/4526/30096/CHZyCFB.jpg`"></A><BR>        
 <A href=`"http://percassing.eu/0mpgc.html?od=1out5fdb31381da0a.2wf4h.Z0000rffjt4c5y2c0_zr883.ffjt4MDEycjUxanNmZW5y0u6Nvi`"><IMG src=`"http://percassing.eu/18/4526/30096/UHZyCFB.jpg`"></A><BR>         <A href=`"http://percassing.eu/0mpgc.html?od=1outtt5fdb31381da0a.2wf4h.Z0000rffjt4c5y2c0_zr883.ffjt4MDEycjUxanNmZW5y0j3dDX`"><IMG src=`"http://percassing.eu/0mpgc.html?od=8vct5fdb31381da0aojc.2wf4h.Z0000rffjt4c5y2c0_zr883.ffjt4MDEycjUxanNmZW5y0r5djf`"></A><BR> </center> </body> </html>
",
"",
".",
"QUIT"

$Socket = New-Object System.Net.Sockets.TcpClient($RemoteHost, $Port)
if ($Socket)
{
    $Stream = $Socket.GetStream()
    $Writer = New-Object System.IO.StreamWriter($Stream)
    foreach ($Command in $Commands)
    {
        $Writer.WriteLine($Command)
        $Writer.Flush()
        Start-Sleep -Milliseconds 2000
    }
}
$Socket.Close()
#End

Reply to Thread