Hugo van der Kooij <[EMAIL PROTECTED]> writes: > Sendmail logs also show a significant number of false recipients which > are known to be part of worms that are by now over 6 months old. Like: > > Nov 1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt, > arg1=<[EMAIL PROTECTED]>, relay=[221.232.95.12], reject=550 5.7.0 <[EMAIL > PROTECTED]>... - REJECTED: KEEP YOUR VIRUS JUNK!; SEE ALSO: > http://hvdkooij.xs4all.nl/email.cms > Nov 1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: lost input channel from > [221.232.95.12] to MTA after rcpt > Nov 1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: from=<[EMAIL PROTECTED]>, > size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[221.232.95.12] > > If there are that many worms going around it only shows how easy it is to > write your own little SMTP engine. Spammers may have deployed similar > backdoors/trojans/bots/...
A lot of stuff out there will also HELO as <yourdomain>, or the IP address of your MX. I'm pretty sure it's a worm, because I can't think how any MTA/MUA could be that broken. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
