[Mailman-Developers] Opening up a few can o' worms here...

[John W Baxter]

"Bob Puff@NLE" <bob@nleaudio.com>

>Not to get too far OT here but...
>
>I've seen the next generation of spammer software at work recently.
>Spammer's machine makes direct SMTP connection to my box, gives MY address
>as the FROM:, TO:, and
>REPLY-TO:.  This bypasses all the open relay testing, and would only leave
>stuff like SA to detect it.

Actually, you missed "version a" of this, in which a user is picked, and
messages are sent to 8 [about] or fewer alphabetically-near addresses on
the same domain.  I *think* the "or fewer" mostly came from stale addresses
being bounced.

So this thing was really clever, right?  Not really...there was a supposed
Received: header "below" the Subject: header.  With a made up host name in
the supposedly sending domain, and SMTP not esmtp protocol.

Not hard to catch and freeze by parsing headers, although I froze based on
another header instead.  (The latter turned out not to be specific to the
spam in question [just because it wasn't found in any of the message I have
in my last couple of years of history didn't make it unusual, just old, as
it turned out].  It recently caught another juicy spammer who was easy to
deal with but whom I wouldn't have noticed if I hadn't had to vette the
frozen messages.)

Plan B of this series* is the xxx@example.com to xxx@example.com form
you're seeing...which sometimes is, it turns out  xxx@example.com to
yyy@example.com.  This form lacks the misplaced phony Received: header.

*I see it as part of the series...the perps may not.

  --John
-- 
John Baxter   jwblist@olympus.net      Port Ludlow, WA, USA
mailman-developers...where no canned worm is safe.