Greg Earle writes:
Sam:I notice that when "courierd" logs to syslog, quite often (usually with SPAM) the DNS entry in the logged message is a random 7-character name: isolar:1:50 [/] # egrep 201.229.207.84 /var/log/syslog | grep dns Feb 25 14:50:50 isolar courierd: [ID 702911 mail.info] newmsg,id=00088941.4B86FEC7.0000415D: dns; f9wl0v2 ([::ffff:201.229.207.84]) I was assuming that these entries like "f9wl0v2" and the like were inserted by "courierd" into the log message when the IP address had no associated inverse PTR record in the DNS. But this particular example does have one: isolar:1:51 [/] # nslookup 201.229.207.84 | grep Name Name: tdev207-84.codetel.net.do So I am curious why the "courierd" syslog message did not say Feb 25 14:50:50 isolar courierd: [ID 702911 mail.info] newmsg,id=00088941.4B86FEC7.0000415D: dns; tdev207-84.codetel.net.do ([::ffff:201.229.207.84]) This behavior is making me wonder if the "f9wl0v2" might not be in the original message itself, which could potentially be filterable, or if
This is the contents of the initial SMTP HELO or EHLO command received from the client.
This spamware is probably using a random number generator to form the EHLO or HELO command.
pgpZJoYVwcJHo.pgp
Description: PGP signature
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
