Sod off.
March 2, 2012 7:54 AM Subscribe
Does this email contain something malicious?
I just had a huge mail (14MB) from a known contact. While the visible content was relatively normal (albeit a duplicate of an email sent earlier in the day), the source, after I’d decoded the Base64, was full of this sort of thing:
The malformed-looking “ecxecxecxecxecxecxecx” parts made me a little suspicious (although perhaps only because it looks a bit like “exec”!). I should state the sender is trusted, lacking the knowledge or inclination for anything malicious. They could have contracted virus, however. One further point is they may have been using the Windows 8 Consumer Preview. Can anyone informed offer an explanation?
I just had a huge mail (14MB) from a known contact. While the visible content was relatively normal (albeit a duplicate of an email sent earlier in the day), the source, after I’d decoded the Base64, was full of this sort of thing:
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass li.ecxecxecxecxecxecxmsoacetate112, .ExternalClass div.ecxecxecxecxecxecxmsoacetate112
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxmsoacetate112
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxmsoacetate112
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass p.ecxecxecxecxecxecxecxmsonormal212, .ExternalClass li.ecxecxecxecxecxecxecxmsonormal212, .ExternalClass div.ecxecxecxecxecxecxecxmsonormal212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass li.ecxecxecxecxecxecxecxmsonormal212, .ExternalClass div.ecxecxecxecxecxecxecxmsonormal212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxecxmsonormal212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass li.ecxecxecxecxecxecxecxmsonormal212, .ExternalClass div.ecxecxecxecxecxecxecxmsonormal212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxecxmsonormal212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxecxmsonormal212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass p.ecxecxecxecxecxecxecxmsoacetate212, .ExternalClass li.ecxecxecxecxecxecxecxmsoacetate212, .ExternalClass div.ecxecxecxecxecxecxecxmsoacetate212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass li.ecxecxecxecxecxecxecxmsoacetate212, .ExternalClass div.ecxecxecxecxecxecxecxmsoacetate212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxecxmsoacetate212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass li.ecxecxecxecxecxecxecxmsoacetate212, .ExternalClass div.ecxecxecxecxecxecxecxmsoacetate212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxecxmsoacetate212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
.ExternalClass div.ecxecxecxecxecxecxecxmsoacetate212
{font-family:"Times New Roman","serif";font-size:12pt;margin-right:0cm;margin-left:0cm;}
The malformed-looking “ecxecxecxecxecxecxecx” parts made me a little suspicious (although perhaps only because it looks a bit like “exec”!). I should state the sender is trusted, lacking the knowledge or inclination for anything malicious. They could have contracted virus, however. One further point is they may have been using the Windows 8 Consumer Preview. Can anyone informed offer an explanation?
I don't see any script, just styling (fonts and stuff).
posted by matildaben at 8:17 AM on March 2, 2012
posted by matildaben at 8:17 AM on March 2, 2012
Here's a comment that sort of explains what's happening, it's a Hotmail problem. My guess is that his css has been copy+pasted into Hotmail over and over again, and it's adding ecx to every class every time it gets pasted in.
posted by helicomatic at 8:36 AM on March 2, 2012
posted by helicomatic at 8:36 AM on March 2, 2012
Response by poster: To the first two of you, I realise it's just formatting, etc., but as thelonius says, it's the 14MB of the that worries me.
Thanks Helicomatic. Given the circumstances I don't think the sender would have copied and pasted anything beyond what one might in composing a short email -- certainly not enough to generate 14MB worth. Or didn't you mean it have been "copy/pasted" automatically in some sense by Hotmail?
PS. Yes, it was to and from a Hotmail account, by the way.
posted by ed\26h at 11:15 AM on March 2, 2012
Thanks Helicomatic. Given the circumstances I don't think the sender would have copied and pasted anything beyond what one might in composing a short email -- certainly not enough to generate 14MB worth. Or didn't you mean it have been "copy/pasted" automatically in some sense by Hotmail?
PS. Yes, it was to and from a Hotmail account, by the way.
posted by ed\26h at 11:15 AM on March 2, 2012
That was just a guess, I'm assuming it adds "ecx" to class names one at a time, and that it must be processing the same text over and over somehow, either through Hotmail or some other mail software that behaves the same way.
I don't use Hotmail or any Microsoft CSS-capable software though, so I can't be sure what exactly is causing it. If you search for "ecxecxecx" or similar you get a few hits that look like the same sort of thing is happening to other people.
posted by helicomatic at 11:27 AM on March 2, 2012
I don't use Hotmail or any Microsoft CSS-capable software though, so I can't be sure what exactly is causing it. If you search for "ecxecxecx" or similar you get a few hits that look like the same sort of thing is happening to other people.
posted by helicomatic at 11:27 AM on March 2, 2012
This thread is closed to new comments.
posted by Brian Puccio at 8:09 AM on March 2, 2012