[Mimedefang] New spammer trick?

Mon Nov 24 23:38:15 EST 2003

David F. Skoll wrote:

>Hi,
>
>I've just seen the following three entries in my maillog:
>
>Nov 23 07:43:55 www sendmail[23184]: hANChtWl023184:
>from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>daemon=MTA, relay=c-66-56-84-132.atl.client2.attbi.com [66.56.84.132]
>
>Nov 24 09:20:01 www sendmail[32246]: hAOEK1Wl032246:
>from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>daemon=MTA, relay=[163.41.144.53]
>
>Nov 24 21:08:50 www sendmail[22577]: hAP28ofX022577:
>from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>daemon=MTA, relay=c-67-163-130-188.client.comcast.net [67.163.130.188]
>
>This spammer makes both the "from" and "to" address the same as the
>intended recipient.  Luckily, in all three cases, the spammer's software
>says "HELO roaringpenguin.com", so I see lines like this in my log (edited
>to wrap better:)
>
>Nov 23 07:43:55 Host 66.56.84.132 said HELO roaringpenguin.com
>Nov 23 07:43:55 filter_relay rejected host 66.56.84.132
>Nov 23 07:43:55 Go away... 66.56.84.132 is not a roaringpenguin.com machine
>
>:-)
>
>So this must be a new piece of ratware.  HELO checks will probably
>be even more worthwhile.
>  
>

David,

I have it on good authority that Helo checks will eliminate some of the 
SPAM bots, it won't get rid of all of them, but it is a safe bet that 
you should check the HELO.

>Regards,
>
>David.
>_______________________________________________
>MIMEDefang mailing list
>MIMEDefang at lists.roaringpenguin.com
>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
>  
>

-- 
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard