Tons of 1.txt messages

Michael Baird mike at TC3NET.COM
Fri Jul 22 21:19:19 IST 2005 

Seeing the here as well

Regards
Michael Baird

> We are suddenly (within the past hour) seeing dozens of reports from
> users about messages coming in with an attachment 1.txt (wich is 80b
> and empty).  There is always a 1 in the body and nothing else.  The
> source address is always forged and most of them seem to be coming
> from large ISP user IP pools.  
> 
> Here is a sample header:
> 
> Received: from x.americanhm.com (sams2.americanhm.com [x.x.x.x]) by
> x.americanhm.com with SMTP (x) 
>         id PKVMXV6N; Fri, 22 Jul 2005 13:53:18 -0400 
> Received: from betru.net (frnk-d9b96a96.pool.mediaWays.net
> [217.185.106.150]) 
>         by x.americanhm.com (8.12.10/8.12.10) with SMTP id
> j6MHmr22028595 
>         for <mg at americanhm.com>; Fri, 22 Jul 2005 13:48:55 -0400 
> Date: Fri, 22 Jul 2005 19:59:41 +0100 
> To: "Mg" <mg at americanhm.com> 
> From: "Mg" <mg at ales.com.ec> 
> Subject: 1 
> Message-ID: <tmzgclxpkjdscxevsvp at americanhm.com> 
> MIME-Version: 1.0 
> Content-Type: multipart/mixed; 
>         boundary="--------elrddgzjoshelqmabgkc" 
> X-SAMS-Information: Please contact the ISP for more information 
> X-SAMS: Found to be clean 
> X-SAMS-SpamCheck: not spam, SpamAssassin (score=-4.48, required 4.4, 
>         BAYES_00 -4.90, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32) 
> X-MailScanner-From: mg at ales.com.ec
> 
> ----------elrddgzjoshelqmabgkc 
> Content-Type: text/html; charset="us-ascii" 
> Content-Transfer-Encoding: 7bit
> 
> ----------elrddgzjoshelqmabgkc 
> Content-Type: application/octet-stream; name="1.txt" 
> Content-Transfer-Encoding: base64 
> Content-Disposition: attachment; filename="1.txt"
> 
> ----------elrddgzjoshelqmabgkc--
> 
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html). 
> 
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list