"Bob Puff@NLE" <[EMAIL PROTECTED]> >Not to get too far OT here but... > >I've seen the next generation of spammer software at work recently. >Spammer's machine makes direct SMTP connection to my box, gives MY address >as the FROM:, TO:, and >REPLY-TO:. This bypasses all the open relay testing, and would only leave >stuff like SA to detect it.
Actually, you missed "version a" of this, in which a user is picked, and messages are sent to 8 [about] or fewer alphabetically-near addresses on the same domain. I *think* the "or fewer" mostly came from stale addresses being bounced. So this thing was really clever, right? Not really...there was a supposed Received: header "below" the Subject: header. With a made up host name in the supposedly sending domain, and SMTP not esmtp protocol. Not hard to catch and freeze by parsing headers, although I froze based on another header instead. (The latter turned out not to be specific to the spam in question [just because it wasn't found in any of the message I have in my last couple of years of history didn't make it unusual, just old, as it turned out]. It recently caught another juicy spammer who was easy to deal with but whom I wouldn't have noticed if I hadn't had to vette the frozen messages.) Plan B of this series* is the [EMAIL PROTECTED] to [EMAIL PROTECTED] form you're seeing...which sometimes is, it turns out [EMAIL PROTECTED] to [EMAIL PROTECTED] This form lacks the misplaced phony Received: header. *I see it as part of the series...the perps may not. --John -- John Baxter [EMAIL PROTECTED] Port Ludlow, WA, USA mailman-developers...where no canned worm is safe. _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
