Jump to content


Photo

intent - itsfogo.com

intent

  • Please log in to reply
1 reply to this topic

#1 Simon Roberts

Simon Roberts
  • Members
  • 1 posts

Posted 10 October 2014 - 10:03 AM

Hi,

I manage Barracuda servers at a University in the North West of England.

Our students have email account host on the Office 365 platform.

Recently a number of message have been blcoked with the reason "intent - itsfogo.com"

A closer look at the email header and email reveals code taht is not displayed in the email

I've already asked Barracuda for advice on this but nothing useful has been provided

 

X-Barracuda-BRTS-Evidence: eurofootplayers.org

X-Barracuda-BRTS-URL-Found: itsfogo.com (*Spam.Other)

X-ASG-Quarantine: ZHIntent itsfogo.com

X-Barracuda-BRTS-URL-Found: chaturbate.com (*Spam.Porn)

X-ASG-Quarantine: ZHIntent chaturbate.com

X-Barracuda-BRTS-URL-Found: signup-page.com (*Spam.Unknown)

X-ASG-Quarantine: ZHIntent signup-page.com

X-Barracuda-BRTS-URL-Found: mysuperpharm.com (*Spam.Unknown)

X-ASG-Quarantine: ZHIntent mysuperpharm.com

X-Barracuda-BRTS-URL-Found: sfippa.com (*Spam.Unknown)

X-ASG-Quarantine: ZHIntent sfippa.com

*******************************************************************************

html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none"><!-- p { margin-top: 0px; m=
argin-bottom: 0px; } @font-face { font-family: Wingdings; } @font-face { fo=
nt-family: 'Cambria Math'; } @font-face { font-family: Calibri; } p.MsoNorm=
al, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 11pt=
; font-family: Calibri, sans-serif; } a:link, span.MsoHyperlink { color: rg=
b(5, 99, 193); text-decoration: underline; } a:visited, span.MsoHyperlinkFo=
llowed { color: rgb(149, 79, 114); text-decoration: underline; } p.MsoListP=
aragraph, li.MsoListParagraph, div.MsoListParagraph { margin: 0cm 0cm 0.000=
1pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; } span.EmailSt=
yle18 { font-family: Arial, sans-serif; color: windowtext; } .MsoChpDefault=
 { font-size: 10pt; } @page WordSection1 { margin: 72pt; } ol { margin-bott=
om: 0cm; } ul { margin-bottom: 0cm; } #cb-to-top, #dynamic-to-top, #footer-=
back-to-top, #g1-back-to-top, #go-to-top, #goDownFooter, #goTop, #goTopFoot=
er, #gotop, #img_goTop, #jump-to-top, #ktz-backtotop, #mainToTopAnchor, #mo=
ve-to-top, #scroll-to-top, #scroll-top, #scroll-top-link, #scrolltotop_butt=
on, #to-the-top, #toTop, #to_top, #totopBtn, #uix_jumpToTopFixed, .TopGoTop=
, .back-to-top, .backToTop, .back_to_top, .backtotop, .block_to_top, .btn-g=
o-top, .fa-arrow-circle-o-up, .fk-ui-goTop, .footer-top-of-page, .go2top, .=
goTop, .js-scroll-to-top, .link_to_top, .mk-go-top, .pi-scroll-top-arrow, .=
scroll-back-to-top-wrapper, .scroll-to-top, .scroll-top, .scroll-top-inner,=
 .scroll2top, .scrollToTop, .scrollToTopButton, .scrollTo_top, .scrollTop, =
.scrolltop, .td-scroll-up, .to-the-top, .to-top, .toTopButton, .topofpage, =
.totop, .ui-fixed-panel-go-top, .ui-go-top, .w-toplink, a[title=3D"Back To =
Top"], a[title=3D"Back to Top"], a[title=3D"Scroll to Top"], a[title=3D"Scr=
oll to top"], div[title=3D"Scroll Back to Top"], div[title=3D"Scroll To Top=
"], img[alt=3D"Scroll to top"], img[alt=3D"go to Top"], .__y_outer, div[id$=
=3D"-top-message-bar"][style=3D"top: 0px; display: block;"], .odkl-klass-st=
at, #ciasteczka, #ciasteczkaInfoContainer, #ciasteczka_alert, #ciastka, #di=
v-cookie-komunikat, #pasek_ciasteczka, #poityka-ciastek, #sf-minisite-toolb=
ar, #share_feed, #sharebuttons, #social-footer, #tweets, .connect_widget, .=
follow-button, .post-social, .rss-feed, .rss.icon, .share-box, .shareLink, =
.shareLinks, .shareText, .share_wrapper, .sharebox, .sharebutton, .sharebut=
tons, .social_bar, .social_buttons, .social_share, a[href=3D"http://www.twe=
llow.com/"], a[href^=3D"http://getclicky.com/"], #footerrss, .hellobar-sign=
up, .home-twitterfeed, .icon-rss-squared, .jobs-information-call-to-action,=
 .newsletter-signup-bait, .newsletter-signup-form, #cookies_notifier, #tesc=
oCookieNotification, .cookie-notice-wrapper, .cookiePopup, .cookiewrapper, =
.euCookie, #backtotoplink, .toTopBtn, .top-of-page-link, #AD_banner, #AdCol=
umn, #AdContainer, #AdHeader, #AdImage, #Adcode, #AdvertiseFrame, #Advertis=
ements, #BottomAdContainer, #BottomAds, #ContentAd, #PreRollAd, #RightAdBlo=
ck, #TopAd, #ad-area, #ad-background, #ad-bg, #ad-bottom, #ad-container, #a=
d-header, #ad-header-728x90, #ad-leaderboard, #ad-main, #ad-right, #ad-text=
, #ad-top, #ad-top-banner-placeholder, #ad-top-wrapper, #ad-unit, #ad-wrapp=
er, #ad468, #ad728, #ad728x90, #adBanner, #adBelt, #adComponentWrapper, #ad=
Div, #adFrame, #adGallery, #adHeader, #adHolder, #adLayer, #adLeader, #adPo=
sition0, #adText, #ad_1, #ad_2, #ad_3, #ad_4, #ad_5, #ad_728_90, #ad_area, =
#ad_banner, #ad_center, #ad_content, #ad_header, #ad_leaderboard, #ad_overl=
ay, #ad_overlay_countdown, #ad_space, #ad_square, #ad_table, #ad_unit, #ad_=
wrap, #ad_wrapper, #adaptv_ad_player_div, #adbackground, #adbanner, #adbar,=
 #adblock, #adboard, #adbody, #adbox, #adcode, #adcontainer, #adcontainer1,=
 #adcontent, #adhead, #adheader, #adimg1, #adlayer, #adnews, #adposition3, =
#adright, #ads-col, #ads1, #adsHeader, #ads_bottom, #ads_right, #ads_top, #=
ads_wrapper, #adsdiv, #adsense, #adsense_block, #adsense_inline, #adspace, =
#adspace_top, #adspot-300x250-pos-1, #adspot-300x250-pos-2, #adtext, #adtop=
, #adv-masthead, #adv-top, #advert1, #advert2, #advertise, #advertisement1,=
 #advertisetop, #advertising_wrapper, #advtop, #adwrapper, #banner-ad, #ban=
nerAd, #bannerAdWrapper, #banner_topad, #bannerad, #bigAd, #bigad, #body_ad=
, #bottomAds, #bottom_ad, #centerads, #cmn_ad_tag_head, #companionAd, #cont=
ent-header-ad, #contentAd, #content_ads, #content_adv, #contentad, #dart-co=
ntainer-728x90, #dfp_ad_Entry_728x90, #dfp_ad_Home_728x90, #divAd, #div_pre=
rollAd_1, #download_ad, #featuread, #featured-ads, #featuredAds, #footer_ad=
, #footer_ads, #game-ad, #googlead, #gridAdSidebar, #head-ad, #header-ads, =
#headerAd, #headerAdContainer, #header_ad, #homead, #ka_adRightSkyscraperWi=
de, #leaderAd, #leaderBoardAd, #leaderboard-ad, #leaderboard-advertisement,=
 #leaderboardad, #left_ads, #leftad, #leftads, #logoAd, #logo_ad, #mainAd, =
#main_ad, #mpu2, #mpu2_container, #mpu_container, #msad, #myAd, #player_ads=
, #pre_advertising_wrapper, #prerollAd, #promo-ad, #publicidad, #reklama, #=

*********************************************************************************************************************************

Of the users I've spoken to so far all are Mac users using Safari or Google as a default browser.

I need advice on what checks to perform to find out where this code is being injected into email .  I believe it' is the senders device andwhat effect this code will have if any on a user pc if a message is opened

 

Web search have not revealed anything on this as yet.

 

thanks in advance,,
Simon

 



#2 opjose

opjose
  • Members
  • 257 posts
  • LocationWashington D.C. Area

Posted 14 October 2014 - 04:34 PM

It looks like the Barracuda "Intent" filter is doing its job correctly.

 

The question is what is injecting all of that junk into your messages?

 

Are your user's employing client software such as Outlook, etc?

 

Or are they sending e-mail via a browser interface to a remote host?

 

In either case you can safely assume that their computers were or still are infected, or if they are using client software, at the least using an e-mail template with the embedded malicious code.