I also think these are being used to verify active accounts which might
be used later for a more targeted attack. I would begin looking at the
"no recipient" messages in your email server.
--
Thank you,
Robert Miller
http://www.armoredpackets.com
Twitter: @arch3angel
On 7/26/2012 9:27 AM, Jeremy Pommerening wrote:
I think the suggestion that it could be to verify real addresses is
probably the most logical. I see these from time to time too.
Jeremy Pommerening
CISSP,GCFA,GPEN,GAWN,GCFW,
MCSE Win2K, MCSE NT4
------------------------------------------------------------------------
*From:* Dave <[email protected]>
*To:* PaulDotCom Security Weekly Mailing List
<[email protected]>
*Sent:* Saturday, July 21, 2012 7:29 PM
*Subject:* Re: [Pauldotcom] Steady stream of probe email messages.
Maybe they are verifying real e-mail addresses? If they get a bounce
message e-mail address = bad.
Sent from my iPad
On Jul 21, 2012, at 3:59 PM, David Kovar <[email protected]
<mailto:[email protected]>> wrote:
> Aaron,
>
> Alas, there is no content at all, no text, no HTML, nothing ....
>
> -David
>
> On Jul 21, 2012, at 12:57 PM, Aaron Melton wrote:
>
>> David,
>>
>> Are these messages in plain text or HTML format?
>>
>> Could they be imbedding objects in the HTML to do reconnaissance of the
>> system/network?
>>
>> Aaron
>>
>> On 7/20/12 7:29 PM, David Kovar wrote:
>>> Good evening,
>>>
>>> A mid-sized high tech client got a new CEO a few months ago. Since
coming on board, he's received a steady stream of probe email
addresses from a wide variety of throw away email address. The
addresses are most often Gmail accounts with random letters for the
name and for the address. The subject line and message body are often
blank, but they occasionally contain "Hello". There is no malicious
payload. No other messages arrive from the same address to any
employee and the sender's address doesn't show up via any searches
I've conducted.
>>>
>>> Any speculation on the purpose of these messages?
>>> Any ideas on how to trace them back to someone?
>>> Any ideas on how to stop them?
>>> Anyone else seeing this?
>>>
>>> -David
>>> _______________________________________________
>>> Pauldotcom mailing list
>>> [email protected] <mailto:[email protected]>
>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>> Main Web Site: http://pauldotcom.com
>>>
>>
>> --
>> "In the beginning of a change, the patriot is a scarce man, brave,
hated
>> and scorned. When his cause succeeds however, the timid join him, for
>> then it costs nothing to be a patriot." -Mark Twain
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected] <mailto:[email protected]>
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected] <mailto:[email protected]>
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
_______________________________________________
Pauldotcom mailing list
[email protected] <mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
