Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [SPAM] Spam sent via spambots?
From: James Riden <j.riden () massey ac nz>
Date: Tue, 02 Nov 2004 08:33:21 +1300

Hugo van der Kooij <hvdkooij () vanderkooij org> writes:

Sendmail logs also show a significant number of false recipients which
are known to be part of worms that are by now over 6 months old. Like:

Nov  1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt, arg1=<mary () vanderkooij org>, 
relay=[], reject=550 5.7.0 <mary () vanderkooij org>... - REJECTED: KEEP YOUR VIRUS JUNK!; SEE ALSO: 
Nov  1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: lost input channel from [] to MTA after rcpt
Nov  1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: from=<maria () tencent com>, size=0, class=0, nrcpts=0, 
proto=ESMTP, daemon=MTA, relay=[]

If there are that many worms going around it only shows how easy it is to
write your own little SMTP engine. Spammers may have deployed similar

A lot of stuff out there will also HELO as <yourdomain>, or the IP
address of your MX. I'm pretty sure it's a worm, because I can't think
how any MTA/MUA could be that broken.

James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]