[Mimedefang] New spammer trick?

Mark admin at asarian-host.net
Tue Nov 25 02:34:24 EST 2003


----- Original Message ----- 
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, November 25, 2003 3:17 AM
Subject: [Mimedefang] New spammer trick?

> This spammer makes both the "from" and "to" address the same as the
> intended recipient.  Luckily, in all three cases, the spammer's software
> says "HELO roaringpenguin.com", so I see lines like this in my log (edited
> to wrap better:)
>
> Nov 23 07:43:55 Host 66.56.84.132 said HELO roaringpenguin.com
> Nov 23 07:43:55 filter_relay rejected host 66.56.84.132
> Nov 23 07:43:55 Go away.. 66.56.84.132 is not a roaringpenguin.com machine
>
> :-)
>
> So this must be a new piece of ratware.

Not so new, I fear. Or, luckily, I should say. :) In my own Milter (O,
shame), I have been logging literally thousands of spammers whose HELO
string matches any of the domains (or IP) I host. In fact, they grew so in
number that, at long last, I stuck em all in a local DNSBL zone,
"pretenders.my-domain.info", and lock them out of life.

I have not had any false positives yet. And why would I, even? There is
never ever a legitimate reason to pretend to be my server. So, anyone who
does, is banished for all eternity.

I said 'luckily' at the onset of my reply, because ratware like this gives
spammers a clear "tell". Like when they fancy themselves clever, and write
"y0ung", instead of "young". That is a clear giveaway, a clear "tell", that
actually makes the job of seperating chaff from grain a lot easier.

Greetings,

- Mark



More information about the MIMEDefang mailing list