[Mimedefang] New spammer trick?
David F. Skoll
dfs at roaringpenguin.com
Mon Nov 24 21:16:04 EST 2003
Hi,
I've just seen the following three entries in my maillog:
Nov 23 07:43:55 www sendmail[23184]: hANChtWl023184:
from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=c-66-56-84-132.atl.client2.attbi.com [66.56.84.132]
Nov 24 09:20:01 www sendmail[32246]: hAOEK1Wl032246:
from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=[163.41.144.53]
Nov 24 21:08:50 www sendmail[22577]: hAP28ofX022577:
from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=c-67-163-130-188.client.comcast.net [67.163.130.188]
This spammer makes both the "from" and "to" address the same as the
intended recipient. Luckily, in all three cases, the spammer's software
says "HELO roaringpenguin.com", so I see lines like this in my log (edited
to wrap better:)
Nov 23 07:43:55 Host 66.56.84.132 said HELO roaringpenguin.com
Nov 23 07:43:55 filter_relay rejected host 66.56.84.132
Nov 23 07:43:55 Go away... 66.56.84.132 is not a roaringpenguin.com machine
:-)
So this must be a new piece of ratware. HELO checks will probably
be even more worthwhile.
Regards,
David.
More information about the MIMEDefang
mailing list