0

CentOS release 6.9 Exim version 4.89_1

I was running the excellent tool ecpp_2.pl - Version: 20150612 by Michael Karr which scans a server for all outbound emails from all programs and identifies suspicious entries - it's a great tool for quickly getting an overview of what's up with outbound emails if have some suspicious alerts.

One of the entries - which referenced a submission form on the server itself - had in the subject line a long string of escape sequence characters such as: \320\232\320\ and similar.

I hesitate to copy and paste the entire long entry here, but is there a method to determine what this code is and if it did any harm?

jeffschips
  • 147
  • 1
  • 8
  • Hard to say without seeing the actual email, and the submission form that sends the email. But what you show looks like octal sequences in C, where `\320\232` could be the octal form of the UTF-8 encoded form of the Unicode `К` character (U+041A CYRILLIC CAPITAL LETTER KA), for instance. Emails don't use octal encoded sequences, though, so I would be suspicious of this email, without looking at the rest of its content. – Remy Lebeau Mar 07 '18 at 19:20
  • I looked again at this: the original poster originated from .ru and the subject line as viewed through the ecpp tool shows escaped characters, but the subject line in the actual email contains Cyrillic characters and a link to a URL that is indeed malicious when uploaded to virustotal. Of course no one clicked the links but is it possible to stuff escaped characters into a subject line and somehow have the receiving email system act on it? Doubtful, right? – jeffschips Mar 07 '18 at 23:09

0 Answers0