Spam via "innocent" machines
Donovan Jones
d.jones at FX.NET.NZ
Mon May 16 04:21:24 IST 2005
On Mon, 2005-05-16 at 15:08, Jeff Mills wrote:
> Hi all,
> I'm hoping somebody might be able to help with a problem we've been having lately, but mostly today.
> Some of my users have told us about an increase in spam over the last couple of days.
> One user claims she has received 50 today.
> Mailscanner is not picking up these, and when I check, they are getting scores mostly of around 1, but up to 3.
>
These are machines recwently infected by sober now sending german
political spam
here is a SA ruleset:
http://mailscanner.prolocation.net/german.cf
> These emails are in various languages, but most seem to be english and German, pointing to political news pages.
> Looking at the headers, the originating addresses appear to be dialup accounts, adsl accounts etc, which could mean these are household computers affected with a worm of some kind.
>
> The other thing thats happening is that the user will receive 50 odd undeliverable messages which would suggest that their email address was attached to outgoing spam. I dont know how I can block these without affecting legitimate undeliverable messages.
> One thing I have noticed is that of the undeliverable addresses, they all seem to start with "3D".
> For instance 3Dsomename at somehost.com
>From addresses are spoofed addresses harvested from infected hosts,
usually all harvested local parts appended randomly to all harvested
domains.
>
> Are any of you having this same issue?
>
yes lots of people see the internet storm center report:
http://isc.sans.org/diary.php?date=2005-05-15
> Cheers,
> Jeff
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
Regards
--
Donovan Jones
Network Engineer
FX Networks
+64-4-498 9640
http://www.fx.net.nz
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list