[Mimedefang] Recent burst of greylist activity
Joseph Brennan
brennan at columbia.edu
Mon Dec 15 10:54:46 EST 2003
> My greylist detector went crazy... I'm seeing hits from different
> machines all over the world; looking at the faked e-mail addresses, these
> attempts *must* be correlated.
A spammer with URLs that may be in China staged a big distributed
spam run this weekend using a large network of compromised PCs.
URLs in text: www.rx357.com, www.2004hosting.org, www.2004hosting.net.
Can people at other places resolve those names and connect? I can't.
China has interfered with connections from Columbia U before.
The spam run was preceded by scans to port 65506/tcp of no known
significance at the time we saw them. About a dozen students'
Windows boxes that had been scanned were used this weekend in
the spam run. On Google I see other examples sent from IPs in
many domains. Sample message below. All this for a penny-ante
cable descrambler product? Or is there more to it, if you can
open the web page?
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group brennan at columbia.edu
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12=
51">
<META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<font color=3D"white">convolve delectable agamemnon cabinetry resume talen=
t pauline philosoph shopkeep horatio signet wiry gases brett=20</font><br>=
<body>
<p>Th</earthshaking>e ul</berry>timate d</feint>igital
ca</derbyshire>ble f</nocturnal>ilter</p>
<p>Th</betty>e fil</z's>ter wi</simpleminded>ll al</writ>low
yo</surveillant>u t</hobart>o rec</flux>eive a</toolkit>ll
t</draw>he ch</redbird>annels t</monic>hat y</niacin>ou
or</tote>der wi</actinolite>th y</aqua>our r</marque>emove
cont</washbasin>rol!</p>
<p>pay</slice>perviews, adu</inspiration>lt mov</stephanotis>ies,s</brockl=
e>port
even</voss>ts,s</embattle>pecial ev</nolo>ents!
<a href=3D"http://www.2004hosting.net/cable/">
se</indigo>e n</cairn>ow!</a></p><p>
<a href=3D"http://www.2004hosting.net/cable/">
<img %RANDOM_TEXT border=3D"0"
src=3D"http://www.2004hosting.net/fiter.jpg"></a></p>
<br>
<font color=3D"white">befogging denial ferromagnet neoconservative amman c=
himeric commission healthy baleen e lourdes angelo heard beryl buchwald cl=
ark=20</font>
</BODY>
</HTML>
More information about the MIMEDefang
mailing list