[Mimedefang] New spammer trick?

Albert Whale aewhale at ABS-CompTech.com
Mon Nov 24 23:38:15 EST 2003

David F. Skoll wrote:

>I've just seen the following three entries in my maillog:
>Nov 23 07:43:55 www sendmail[23184]: hANChtWl023184:
>from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>daemon=MTA, relay=c-66-56-84-132.atl.client2.attbi.com []
>Nov 24 09:20:01 www sendmail[32246]: hAOEK1Wl032246:
>from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>daemon=MTA, relay=[]
>Nov 24 21:08:50 www sendmail[22577]: hAP28ofX022577:
>from=<dfs at roaringpenguin.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>daemon=MTA, relay=c-67-163-130-188.client.comcast.net []
>This spammer makes both the "from" and "to" address the same as the
>intended recipient.  Luckily, in all three cases, the spammer's software
>says "HELO roaringpenguin.com", so I see lines like this in my log (edited
>to wrap better:)
>Nov 23 07:43:55 Host said HELO roaringpenguin.com
>Nov 23 07:43:55 filter_relay rejected host
>Nov 23 07:43:55 Go away... is not a roaringpenguin.com machine
>So this must be a new piece of ratware.  HELO checks will probably
>be even more worthwhile.


I have it on good authority that Helo checks will eliminate some of the 
SPAM bots, it won't get rid of all of them, but it is a safe bet that 
you should check the HELO.

>MIMEDefang mailing list
>MIMEDefang at lists.roaringpenguin.com

Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard

More information about the MIMEDefang mailing list