Responding to UPS pattern SPAM | ExchangeDefender Blog

ExchangeDefender
ExchangeDefender: Keep your email, and company data safe and secure.
ExchangeDefender PRO Multi-layered email security suite protects against SPAM, viruses, phishing attacks and more.

Corporate Encryption Send and receive encrypted messages by email, url, or sms.

Compliance Archive Assures full archiving of all inbound, outbound, and internal email for regulatory compliance.

Web File Server Unlimited document sharing and secure file storage.

Business Continuity Enables organizations access to email during unexpected service outages.

Password Vault Securely store, manage and share passwords with a centralized management system.
GET STARTED NOW

Enable secure communication of sensitive information.
Schedule a demo Get a quote See it live
Looking for ExchangeDefender for home/hobby/small team?
Solutions
Solutions: Solve IT problems with our email & cloud expertise.
Exchange Hosting Microsoft Exchange mailbox for secure business communication.

SMS Proxy Virtual number that forwards text messages to email, web, Slack & Teams.

Exchange Essentials Our Microsoft Exchange mailbox service for home and small offices.

Web Hosting Custom web site and web application hosting services.

Cloud Service Management Management & support of Amazon AWS & Microsoft Azure cloud services.

Wrkoo Service and support portal solution that helps manage business & clients.
5 reasons why MSPs use our support software Wrkoo In our fast-pace world full of technology, customers want you to deliver impeccable customer service online…
Can't find what you're looking for? Contact our customer service at (877) 546-0316
Partners
Partners: Make better profits, join our industry-leading partner program today!
Marketing Marketing collateral and sales documentation to help you close deals.

Support Need help? We offer an industry leading SLA with 24/7 support here.

Managed Services for Legal Services

Support Portal

Managed Healthcare

Webinar Library

ExchangeDefender Threat Protection

Contact us

More

More
Become a partner Add our email and cloud expertise to your portfolio and profit from it.
See why MSPs love working with us
Company
Company: Learn more about our company, get the latest news, or contact us.
About Us Learn more about ExchangeDefender and our 20+ year journey in email.

Contact Us All the ways you can get in touch with us.

Blog The latest news, releases, and service updates from our team.

Regulatory Compliance ExchangeDefender compliance audits and security collateral.

NOC Network Operations Center advisories and current network events.

3rd Party Support Technical support for our platform if you're not a client.
5 reasons why MSPs use our support software Wrkoo In our fast-pace world full of technology, customers want you to deliver impeccable customer service online…
Can't find what you're looking for? Contact our customer service at (877) 546-0316
Docs
Login
ExchangeDefender Admin

Compliance Archive

ExchangeDefender Support

Encryption

Web File Sharing

Live Archive
Premium Support
US: +1(877)546-0316 INT: +1(407)465-6800 UK: 0800 8620149 AU: +61 0390010641

Responding to UPS pattern SPAM

ExchangeDefender

Responding to UPS pattern SPAM

It has been quite an evening at ExchangeDefender as we continue to fight the outbreak of the UPS trojan. You may have seen this:

Warning: This message has had one or more attachments removed

Warning: (UPS_INVOICE_978172.exe, UPS_INVOICE_978172.zip).

Warning: Please read the “ExchangeDefender-Attachment-Warning.txt” attachment(s) for more information.

Subject: UPS Tracking Number 6431834482

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

What is interesting about this is that the message does look fraudulent to the casual observers and people that do domestic business with UPS. However, we have encountered this format (with attachments and all) being used by UPS Commercial shipping departments in the past, which is why messages with the specific patterns received lower SPAM scores and were allowed through.

We still stripped the attachments but the attachments inside the ZIP file are passing through AV scanners as the variants change. We are now up to over thirty definitions used to track this specific worm and have taken the following steps:

UPS messages are only processed if they come from UPS.

UPS Tracking numbers are only accepted as valid if they start with 1Z.

UPS messages instigate a callback function against UPS servers.

Dealing with these extended rulesets and checks has made mail move a little slower today as we’ve dealt with onslaught of messages while this worm becomes more prevalent. UPS is also issuing a warning on their behalf:

We currently have this issue under control and it should not pose any further problems. However, expect the UPS messages to be taken with higher scrutiny and always warn users not to open executable attachments.

Like