mailing list archives
Re: Spam from weird IP 18.104.22.168
From: Richard D G Cox <Richard () mandarin com>
Date: Mon, 16 Jun 2003 19:30:22 +0100
On Mon, 16 Jun 2003 15:47 (UT), jlewis () lewis org wrote:
| I've never heard of the NNFMP protocol
It's the latest spammer exploit the "Network Nonsense - Fools Most People"
exploit. You've not been hit by that one yet, then?
On Mon, 16 Jun 2003 17:47 (UT), Wayne Tucker <wtucker () donobi com> wrote:
| I have run into a considerable number of these that include headers
| suggesting that they were relayed through my server, but I have verified
| my logs, and the messages never even touched any of my machines.
But precisely which logs are you looking at?
The SMTP logs from your mail server or the machine's IP connection log?
| It seems that one of the new tricks is to throw some BS headers in there
| before relaying the message, just to throw a monkey wrench in the works.
That is one of the older tricks in the book. The latest revision is to
throw some _matching_ headers in there so that it looks entirely genuine.
If you have a trojan executable on a server as well as an "authorised" mail
server then any mail sent by the trojan will NOT appear in the logs of the
SMTP server, but WILL appear on the next hop as coming from your server and
the only way to tell the difference is by examining the connecting port as
seen coming from your server by the machine at next hop.
Richard D G Cox