[Mailman-Developers] Opening up a few can o' worms here...
John W Baxter
jwblist@olympus.net
Tue, 16 Jul 2002 22:21:38 -0700
"Bob Puff@NLE" <bob@nleaudio.com>
>Not to get too far OT here but...
>
>I've seen the next generation of spammer software at work recently.
>Spammer's machine makes direct SMTP connection to my box, gives MY address
>as the FROM:, TO:, and
>REPLY-TO:. This bypasses all the open relay testing, and would only leave
>stuff like SA to detect it.
Actually, you missed "version a" of this, in which a user is picked, and
messages are sent to 8 [about] or fewer alphabetically-near addresses on
the same domain. I *think* the "or fewer" mostly came from stale addresses
being bounced.
So this thing was really clever, right? Not really...there was a supposed
Received: header "below" the Subject: header. With a made up host name in
the supposedly sending domain, and SMTP not esmtp protocol.
Not hard to catch and freeze by parsing headers, although I froze based on
another header instead. (The latter turned out not to be specific to the
spam in question [just because it wasn't found in any of the message I have
in my last couple of years of history didn't make it unusual, just old, as
it turned out]. It recently caught another juicy spammer who was easy to
deal with but whom I wouldn't have noticed if I hadn't had to vette the
frozen messages.)
Plan B of this series* is the xxx@example.com to xxx@example.com form
you're seeing...which sometimes is, it turns out xxx@example.com to
yyy@example.com. This form lacks the misplaced phony Received: header.
*I see it as part of the series...the perps may not.
--John
--
John Baxter jwblist@olympus.net Port Ludlow, WA, USA
mailman-developers...where no canned worm is safe.