Re: Spam from weird IP 118.189.136.119

From: Richard D G Cox (no email)
Date: Mon Jun 16 2003 - 14:30:22 EDT


On Mon, 16 Jun 2003 15:47 (UT), wrote:

| I've never heard of the NNFMP protocol

It's the latest spammer exploit the "Network Nonsense - Fools Most People"
exploit. You've not been hit by that one yet, then?

On Mon, 16 Jun 2003 17:47 (UT), Wayne Tucker <> wrote:

| I have run into a considerable number of these that include headers
| suggesting that they were relayed through my server, but I have verified
| my logs, and the messages never even touched any of my machines.

But precisely which logs are you looking at?
The SMTP logs from your mail server or the machine's IP connection log?

| It seems that one of the new tricks is to throw some BS headers in there
| before relaying the message, just to throw a monkey wrench in the works.

That is one of the older tricks in the book. The latest revision is to
throw some _matching_ headers in there so that it looks entirely genuine.

If you have a trojan executable on a server as well as an "authorised" mail
server then any mail sent by the trojan will NOT appear in the logs of the
SMTP server, but WILL appear on the next hop as coming from your server and
the only way to tell the difference is by examining the connecting port as
seen coming from your server by the machine at next hop.

-- 
Richard D G Cox







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD