Tons of 1.txt messages

Alex Neuman van der Hans alex at NKPANAMA.COM
Fri Jul 22 23:17:56 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Drew Marshall wrote:

> Michael Baird wrote:
>
>> Seeing the here as well
>>
>> Regards
>> Michael Baird
>>
>>  
>>
>>> We are suddenly (within the past hour) seeing dozens of reports from
>>> users about messages coming in with an attachment 1.txt (wich is 80b
>>> and empty).  There is always a 1 in the body and nothing else.  The
>>> source address is always forged and most of them seem to be coming
>>> from large ISP user IP pools. 
>>> Here is a sample header:
>>>
>>> Received: from x.americanhm.com (sams2.americanhm.com [x.x.x.x]) by
>>> x.americanhm.com with SMTP (x)        id PKVMXV6N; Fri, 22 Jul 2005 
>>> 13:53:18 -0400 Received: from betru.net 
>>> (frnk-d9b96a96.pool.mediaWays.net
>>> [217.185.106.150])        by x.americanhm.com (8.12.10/8.12.10) with 
>>> SMTP id
>>> j6MHmr22028595        for <mg at americanhm.com>; Fri, 22 Jul 2005 
>>> 13:48:55 -0400 Date: Fri, 22 Jul 2005 19:59:41 +0100 To: "Mg" 
>>> <mg at americanhm.com> From: "Mg" <mg at ales.com.ec> Subject: 1 
>>> Message-ID: <tmzgclxpkjdscxevsvp at americanhm.com> MIME-Version: 1.0 
>>> Content-Type: multipart/mixed;        
>>> boundary="--------elrddgzjoshelqmabgkc" X-SAMS-Information: Please 
>>> contact the ISP for more information X-SAMS: Found to be clean 
>>> X-SAMS-SpamCheck: not spam, SpamAssassin (score=-4.48, required 4.4, 
>>>        BAYES_00 -4.90, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32) 
>>> X-MailScanner-From: mg at ales.com.ec
>>>
>>> ----------elrddgzjoshelqmabgkc Content-Type: text/html; 
>>> charset="us-ascii" Content-Transfer-Encoding: 7bit
>>>
>>> ----------elrddgzjoshelqmabgkc Content-Type: 
>>> application/octet-stream; name="1.txt" Content-Transfer-Encoding: 
>>> base64 Content-Disposition: attachment; filename="1.txt"
>>>
>>> ----------elrddgzjoshelqmabgkc--
>>>   
>>
> Wonder if the front end to the list server is fighting them off too:
>
> Jul 22 21:30:38 cro-mx1 postfix/smtp[97720]: 06B3833C4C: host 
> kili.jiscmail.ac.uk[130.246.192.52] said: 452 4.4.5 Insufficient disk 
> space; try again later (in reply to MAIL FROM command)
>
> Oops! :-(
>
> Drew
>
What would be the proper regexp on filename.rules.conf to stop it? I'm 
guessing \1.txt$ would kill any file that "ends with" 1.txt, and 1.txt 
would stop any file "which contains" 1.txt in the filename. Would it be 
correct to say then, just 1.txt$ instead?

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list