[Mimedefang] New spammer trick?

Mark admin at asarian-host.net
Tue Nov 25 02:34:24 EST 2003

----- Original Message ----- 
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, November 25, 2003 3:17 AM
Subject: [Mimedefang] New spammer trick?

> This spammer makes both the "from" and "to" address the same as the
> intended recipient.  Luckily, in all three cases, the spammer's software
> says "HELO roaringpenguin.com", so I see lines like this in my log (edited
> to wrap better:)
> Nov 23 07:43:55 Host said HELO roaringpenguin.com
> Nov 23 07:43:55 filter_relay rejected host
> Nov 23 07:43:55 Go away.. is not a roaringpenguin.com machine
> :-)
> So this must be a new piece of ratware.

Not so new, I fear. Or, luckily, I should say. :) In my own Milter (O,
shame), I have been logging literally thousands of spammers whose HELO
string matches any of the domains (or IP) I host. In fact, they grew so in
number that, at long last, I stuck em all in a local DNSBL zone,
"pretenders.my-domain.info", and lock them out of life.

I have not had any false positives yet. And why would I, even? There is
never ever a legitimate reason to pretend to be my server. So, anyone who
does, is banished for all eternity.

I said 'luckily' at the onset of my reply, because ratware like this gives
spammers a clear "tell". Like when they fancy themselves clever, and write
"y0ung", instead of "young". That is a clear giveaway, a clear "tell", that
actually makes the job of seperating chaff from grain a lot easier.


- Mark

More information about the MIMEDefang mailing list