Rob MacGregor <[EMAIL PROTECTED]> wrote:
On 24/07/05, Fernando Gleiser <[EMAIL PROTECTED]> wrote:
I'm seeing a lot of emails coming with just an "1" in the body, "1" as
the subject and an application/octet-stream part called "1.txt"
They're generating Message-ID the same way Bagle did, namely:
"<", a string of lower-case a-z, "@", recipient domain, ">" -- like
<[EMAIL PROTECTED]> for mail coming to columbia.edu.
8,326 seen here yesterday, Saturday. From many, many IPs. The sender
local part usually matches the recipient local part, e.g. <[EMAIL PROTECTED]>
sends to <[EMAIL PROTECTED]>. There are some exceptions where the sender
address has extra characters before the @ sign, e.g. <[EMAIL PROTECTED]> to
<[EMAIL PROTECTED]>. In some cases the sender address is identical to the
recipient.
The senders seem to be zombies under central control. As the log opens at
04:00, we are in the middle of two alphabetical series of recipient
addresses, one series starting with jb, the other with rp. The recipients
gradually go up the alphabet, not perfectly but still with remarkable
coordination considering how many IP addresses are sending. The r's run
out around 06:00 and we start seeing sa. Each zombie sends us only a few
messages. The overall gradual progression through the alphabet in a
coordinated manner suggests two controllers transmitting target addresses
to their zombies one zombie at a time. It would be fun if the 1 means the
software has a coding error that is inserting a truth value instead of data
(what perl programmer has not done that?).
Joseph Brennan
Columbia University
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
[email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
