This is a forwarded message
From: R. Scott Perry <[EMAIL PROTECTED]>
To: Roger Heath <[EMAIL PROTECTED]>
Thought others here might find this interesting as I did.
--
Roger Heath
=================Original message text===============
>My mail server and Declude is really being tested today.
>I think I got a concerted attack by several people at once
>to try and crash the server. I have a free email signup
>system (EZSignUp) and they signup then start sending libraries
>of email addresses through the server. Since these are from
>spammers and they violate SpamCop and other blacklists Declude
>was capturing thousands of emails. What is puzzling to me is
>that the spammers were sending to their own email address.
Actually, they aren't amateurs. They very much want those E-mail that they
are getting. These are the guys that go hunting for open relays. They find
lots of mail servers and try sending an E-mail through to a free mail
account that they have; if it goes through, they know they found an open relay.
>I figure they must not know what is happening.
True -- they probably don't know that their mail is getting caught.
>It looks like they are amateurs.
These are actually the experts (or at least the most dedicated spammers).
>In SMTP I use 'Relay for Local Users Only'.
Note that this will allow spammers to send mail through your server to
other servers, if they use a valid return address on one of your
domains. Most spammers won't go to that trouble, but they could.
>Here is an actual emails from the Spam directory:
>
>Received: from resystems.com [208.1.108.105] by activatormail.com with ESMTP
> (SMTPD32-5.05) id AF4421E00DE; Mon, 04 Feb 2002 17:54:44 -0600
This is the open relay that they found.
>Received: from mx3.yahoo.com (host22.tracersinfo.com [216.242.132.22] (may
>be forged))
> by resystems.com (8.9.3/8.9.3) with SMTP id CAA32528
> for <[EMAIL PROTECTED]>; Tue, 5 Feb 2002 02:25:56 -0500
And the open relay got it from 216.242.132.22, which is on the
tracersinfo.com domain. Most likely, the spammer hacked into the server,
and isn't connect to it. That's the server they are running their open
relay tester software on.
>From: [EMAIL PROTECTED]
>Message-ID: <[EMAIL PROTECTED]>
Forged headers.
>To: <[EMAIL PROTECTED]>
This is the free account on your server.
>Subject: testmail
In most cases, they use a subject with a seemingly innocent header, in case
the E-mail gets caught on the open relay and an admin finds it (subjects
such as "I'll see you Tuesday" are common).
>050049054046050052050046049051050046050050058104111115116050050046116114097099101114115105110102111046099111109058055048049058053048058089101115
Here's the proof that it's a spammer. This is their encoded data. If you
decode it, you'll see something that includes the IP address of the open
relay. To decode it, if you feel like it, take the numbers into groups of
three digits (050, 049, 054...), start Notepad, and hold down the ALT key
and type the three-digit number, and let go of the ALT key. You'll see
"216...", which is the real data the spammer sent.
>Received: from riceville.k12.ia.us [207.28.21.3] by activatormail.com with
>ESMTP
> (SMTPD32-5.05) id AF4110B0084; Mon, 04 Feb 2002 17:54:41 -0600
Here, the nice spammer found an educational mail server he could abuse.
-Scott
==============End of original message text===========
--
ActivatorMail(tm) ver.013102 Scanned for all viruses by
www.activatormail.com intelligent anti-virus anti-spam service
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
