[Mimedefang] has anyone else seen those weird "1.txt" emails
Joseph Brennan
brennan at columbia.edu
Sun Jul 24 11:35:53 EDT 2005
Rob MacGregor <rob.macgregor at gmail.com> wrote:
> On 24/07/05, Fernando Gleiser <fgleiser at cactus.fi.uba.ar> wrote:
>> I'm seeing a lot of emails coming with just an "1" in the body, "1" as
>> the subject and an application/octet-stream part called "1.txt"
They're generating Message-ID the same way Bagle did, namely:
"<", a string of lower-case a-z, "@", recipient domain, ">" -- like
<hpnfyskoptmhuixzsya at columbia.edu> for mail coming to columbia.edu.
8,326 seen here yesterday, Saturday. From many, many IPs. The sender
local part usually matches the recipient local part, e.g. <jb51 at terra.com>
sends to <jb51 at columbia.edu>. There are some exceptions where the sender
address has extra characters before the @ sign, e.g. <jb51kr at nate.com> to
<jb51 at columbia.edu>. In some cases the sender address is identical to the
recipient.
The senders seem to be zombies under central control. As the log opens at
04:00, we are in the middle of two alphabetical series of recipient
addresses, one series starting with jb, the other with rp. The recipients
gradually go up the alphabet, not perfectly but still with remarkable
coordination considering how many IP addresses are sending. The r's run
out around 06:00 and we start seeing sa. Each zombie sends us only a few
messages. The overall gradual progression through the alphabet in a
coordinated manner suggests two controllers transmitting target addresses
to their zombies one zombie at a time. It would be fun if the 1 means the
software has a coding error that is inserting a truth value instead of data
(what perl programmer has not done that?).
Joseph Brennan
Columbia University
More information about the MIMEDefang
mailing list