[Mimedefang] New spammer trick?
Ben Kamen
bkamen at benjammin.net
Tue Nov 25 01:08:22 EST 2003
the from address is not a new trick. I've seen it in the past.
the HELO line, I'm not sure - I don't watch that close. I practically
refuse all email from subdomains of the popular ISP's at this point.
Anything that's a subdomain of comcast in particular I reject with the
message that they need to go through their ISP's mailserver.
only "CLIENT.comcast.net" fails. I happy take email from comcast.net
provided it passes the rest of the filters.
-Ben
On Mon, 24 Nov 2003, David F. Skoll wrote:
> I've just seen the following three entries in my maillog:
>
> Nov 23 07:43:55 www sendmail[23184]: hANChtWl023184:
> from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=c-66-56-84-132.atl.client2.attbi.com [66.56.84.132]
>
> Nov 24 09:20:01 www sendmail[32246]: hAOEK1Wl032246:
> from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=[163.41.144.53]
>
> Nov 24 21:08:50 www sendmail[22577]: hAP28ofX022577:
> from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=c-67-163-130-188.client.comcast.net [67.163.130.188]
>
> This spammer makes both the "from" and "to" address the same as the
> intended recipient. Luckily, in all three cases, the spammer's software
> says "HELO roaringpenguin.com", so I see lines like this in my log (edited
> to wrap better:)
>
> Nov 23 07:43:55 Host 66.56.84.132 said HELO roaringpenguin.com
> Nov 23 07:43:55 filter_relay rejected host 66.56.84.132
> Nov 23 07:43:55 Go away... 66.56.84.132 is not a roaringpenguin.com machine
More information about the MIMEDefang
mailing list