Re: How did this Spam get through?

Andrzej Kozlowski Thu, 09 Aug 2001 00:15:11 -0700
You are right, but the puzzle remains. I looked at the log again and 
indeed there was another session. The same spam, the same domain name. 
relays.osirusoft.com
was looked up but this time the spam was not blacklisted. Is that 
because he is sending from a different IP address?

Andrzej


:46:27 4 SMTP(tcp) Connection request from 
[168.167.71.132:2427],seq=1028, 14/15
08:46:27 5 SMTP-196() Stream Created
08:46:27 5 SMTP(196) Resolver Created
08:46:27 4 SMTP Line 3196 created for answering
08:46:27 4 SMTP-196() Got connection from [168.167.71.132:2427]
08:46:27 4 SMTP(tcp) Connection accepted from [168.167.71.132:2427], 
seq=1028, 14/15
08:46:27 4 SMTP-196([168.167.71.132]) Sending 220-Stalker Internet Mail 
Server V.1.8b8 is ready.\r\n220 ESMTP is spoken here. You are welcome\r\n
08:46:27 5 SMTP-196([168.167.71.132]) OT 95 of 95 bytes sent, Flags=0
08:46:27 5 SMTP-196([168.167.71.132]) *Status=34
08:46:27 4 SMTP-196([168.167.71.132]) Looking for 
132.71.167.168.relays.ordb.org
08:46:28 5 SMTP-196([168.167.71.132]) *Status=34
08:46:28 4 SMTP-196([168.167.71.132]) Looking for 
132.71.167.168.relays.osirusoft.com
08:46:29 5 SMTP-196([168.167.71.132]) *Status=22
08:46:38 5 SMTP-196([168.167.71.132]) Received 25 bytes
08:46:38 4 SMTP-196([168.167.71.132]) Input Line: EHLO 
bnmail1.botsnet.bw\r
08:46:38 5 SMTP-196([168.167.71.132]) *Status=21
08:46:38 4 SMTP-196(bnmail1.botsnet.bw) Looking for bnmail1.botsnet.bw
08:46:38 4 SMTP-196(bnmail1.botsnet.bw) Sending 250-platon.c.u-
tokyo.ac.jp is pleased to meet 
you\r\n250-HELP\r\n250-PIPELINING\r\n250-ETRN\r\n250 EHLO\r\n
08:46:38 5 SMTP-196(bnmail1.botsnet.bw) OT 97 of 97 bytes sent, Flags=0
08:46:38 5 SMTP-196(bnmail1.botsnet.bw) *Status=22
08:46:45 5 SMTP-196(bnmail1.botsnet.bw) Received 38 bytes
08:46:45 4 SMTP-196(bnmail1.botsnet.bw) Input Line: MAIL 
FROM:<[EMAIL PROTECTED]>\r
08:46:45 5 SMTP-196(bnmail1.botsnet.bw) *Status=25
08:46:45 5 SYSTEM {S.0000027305} in work, ref=90, nFresh=4
08:46:45 5 ROUTER Input: HomeRevenue57(excite.com)
08:46:45 5 ROUTER Parser: [EMAIL PROTECTED] -> 
HomeRevenue57(excite.com)
08:46:45 5 SMTP-196(bnmail1.botsnet.bw) *Status=26
08:46:45 4 SMTP-196(bnmail1.botsnet.bw) Sending 250 
<[EMAIL PROTECTED]> sender accepted\r\n
08:46:45 5 SMTP-196(bnmail1.botsnet.bw) OT 48 of 48 bytes sent, Flags=0
08:46:45 5 SMTP-196(bnmail1.botsnet.bw) *Status=23
08:46:48 5 SYSTEM {S.0000027311} created, ref=874, nFresh=5
08:46:53 5 SMTP-196(bnmail1.botsnet.bw) Received 42 bytes
08:46:53 4 SMTP-196(bnmail1.botsnet.bw) Input Line: RCPT 
TO:<[EMAIL PROTECTED]>\r
08:46:53 5 ROUTER Input: andrzej(platon.c.u-tokyo.ac.jp)
08:46:53 5 ROUTER Parser: [EMAIL PROTECTED] -> 
andrzej(platon.c.u-tokyo.ac.jp)
08:46:53 5 ROUTER Input: andrzej()
08:46:53 5 ROUTER Parser: andrzej -> andrzej()
08:46:53 5 SMTP-196(bnmail1.botsnet.bw) *Status=33
08:46:53 4 SMTP-196(bnmail1.botsnet.bw) Sending 250 
<[EMAIL PROTECTED]> recipient accepted\r\n
08:46:53 5 SMTP-196(bnmail1.botsnet.bw) OT 57 of 57 bytes sent, Flags=0
08:46:53 5 SMTP-196(bnmail1.botsnet.bw) *Status=23
08:46:58 5 SMTP-196(bnmail1.botsnet.bw) Received 6 bytes
08:46:58 4 SMTP-196(bnmail1.botsnet.bw) Input Line: DATA\r
08:46:58 4 SMTP-196(bnmail1.botsnet.bw) Sending 354 Enter mail, end 
with "." on a line by itself\r\n
08:46:58 5 SMTP-196(bnmail1.botsnet.bw) OT 50 of 50 bytes sent, Flags=0
08:46:58 5 SMTP-196(bnmail1.botsnet.bw) *Status=27
08:47:01 5 SMTP-196(bnmail1.botsnet.bw) Received 2920 bytes
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Received 1460 bytes
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Received 1460 bytes
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Received 1460 bytes
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Received 1460 bytes
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Writing 8192 byte at 0
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Received 956 bytes
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) Writing 1679 byte at 8192
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) *Status=28
08:47:02 2 SMTP-196(bnmail1.botsnet.bw) {S.0000027305} received, 9871 
bytes
08:47:02 4 SMTP-196(bnmail1.botsnet.bw) Sending 250 S.0000027305 message 
accepted for delivery\r\n
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) OT 48 of 48 bytes sent, Flags=0
08:47:02 5 SMTP-196(bnmail1.botsnet.bw) *Status=22
08:47:02 5 SYSTEM Scanning {S.0000027305}
08:47:02 5 SYSTEM Line Read: P I 08-08-2001 23:46:45 0000 excite.com 
HomeRevenue57
08:47:02 5 SYSTEM Line Read: R W 08-08-2001 23:46:53 0000 
platon.c.u-tokyo.ac.jp andrzej
08:47:02 5 ROUTER Input: andrzej(platon.c.u-tokyo.ac.jp)
08:47:02 5 ROUTER Parser: [EMAIL PROTECTED] -> 
andrzej(platon.c.u-tokyo.ac.jp)
08:47:02 5 ROUTER Input: andrzej()
08:47:02 5 ROUTER Parser: andrzej -> andrzej()
08:47:02 5 SYSTEM Line Read:
08:47:02 5 SYSTEM Line Read: Received: from bnmail1.botsnet.bw 
([168.167.71.132] verified) by platon.c.u-tokyo.ac.jp (Stalker SMTP 
Server 1.8b8) with ESMTP id S.0000027305 for <[EMAIL PROTECTED]
tokyo.ac.jp>; Thu, 09 Aug 2001 08:46:58 +0900

On Thursday, August 9, 2001, at 04:15  PM, Technical Support, Stalker 
Labs wrote:

> Hello,
>
> Apparently the message was received with some other SMTP session - 
> compare the time stamp in the Received header and the in logs.
>
> If your server has some MX backup, the spamware could retry sending 
> through that backup and succeeded that time.
>
>
> On Thu, Aug 9, 2001, 01:18:38 GMT
>   Andrzej Kozlowski, <[EMAIL PROTECTED]> wrote:
>
>> Something weird. The spam below was identified as blacklisted by
>> relays.ordb.org an yet it got through! From the log it looks like it 
>> was
>> rejected and but I got it.
>>
>> Here are the message headers and the SIMS log:
>>
>> From (null)@platon.c.u-tokyo.ac.jp Thu Aug 9 09:04:42 2001
>> Return-Path: [EMAIL PROTECTED]
>> Received: from bnmail1.botsnet.bw ([168.167.71.132] verified) by
>> platon.c.u-tokyo.ac.jp (Stalker SMTP Server 1.8b8) with ESMTP id
>> S.0000027305 for <[EMAIL PROTECTED]>; Thu, 09 Aug 2001
>> 08:46:58 +0900
>> Received: from bnfire1.botsnet.bw ([168.167.71.129]) by
>> bnmail1.botsnet.bw  with Microsoft SMTPSVC(5.5.1877.197.19);
>>       Wed, 8 Aug 2001 02:47:58 +0200
>> Message-ID: <00005bc1501f$00004957$[EMAIL PROTECTED]>
>> To: <Subscriber>
>> From: [EMAIL PROTECTED]
>> Subject:
>> [0x8E][0xFB][0x93][0xFC][0x82][0xCD][0x8E]v[0x82][0xA2][0x82][0xCC]
>> [0x82]
>> [0xDC][0x82][0xDC]!
>> [0x82][0xB3][0x82][0xE7][0x82][0xC9][0x82][0xED][0x82][0xAD][0x82]
>> [0xED]
>> [0x82][0xAD][0x83]h[0x83]L[0x83]h[0x83]L[0x82][0xCC][0x83]o[0x83]J
>> [0x83]
>> [0x93][0x83]X[0x82][0xDC][0x82][0xC5][0x82][0xC2][0x82][0xA2][0x82]
>> [0xC4]
>> [0x82][0xAD][0x82][0xE9]!                         22427
>> Date: Tue, 07 Aug 2001 19:48:17 -1700
>> MIME-Version: 1.0
>> Content-Type: text/html;
>>      charset="iso-8859-1"
>> Content-Transfer-Encoding: quoted-printable
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> Reply-To: [EMAIL PROTECTED]
>> Return-Path: [EMAIL PROTECTED]
>>
>>
>> :08:29 4 SMTP Line 3195 created for answering
>> 04:08:29 4 SMTP-195() Got connection from [168.167.71.132:1267]
>> 04:08:29 4 SMTP(tcp) Connection accepted from [168.167.71.132:1267],
>> seq=1027, 13/14
>> 04:08:29 4 SMTP-195([168.167.71.132]) Sending 220-Stalker Internet Mail
>> Server V.1.8b8 is ready.\r\n220 ESMTP is spoken here. You are 
>> welcome\r\n
>> 04:08:29 5 SMTP-195([168.167.71.132]) OT 95 of 95 bytes sent, Flags=0
>> 04:08:29 5 SMTP-195([168.167.71.132]) *Status=34
>> 04:08:29 4 SMTP-195([168.167.71.132]) Looking for
>> 132.71.167.168.relays.ordb.org
>> 04:08:29 1 SMTP-195([168.167.71.132]) SPAM? Host is blacklisted per RBL
>> relays.ordb.org with result [127.0.0.2]
>> 04:08:29 5 SMTP-195([168.167.71.132]) *Status=22
>> 04:08:31 5 SMTP-195([168.167.71.132]) Received 25 bytes
>> 04:08:31 4 SMTP-195([168.167.71.132]) Input Line: EHLO
>> bnmail1.botsnet.bw\r
>> 04:08:31 5 SMTP-195([168.167.71.132]) *Status=21
>> 04:08:31 4 SMTP-195(bnmail1.botsnet.bw) Looking for bnmail1.botsnet.bw
>> 04:08:31 4 SMTP-195(bnmail1.botsnet.bw) Sending 250-platon.c.u-
>> tokyo.ac.jp is pleased to meet
>> you\r\n250-HELP\r\n250-PIPELINING\r\n250-ETRN\r\n250 EHLO\r\n
>> 04:08:31 5 SMTP-195(bnmail1.botsnet.bw) OT 97 of 97 bytes sent, Flags=0
>> 04:08:31 5 SMTP-195(bnmail1.botsnet.bw) *Status=22
>> 04:08:36 5 SMTP-195(bnmail1.botsnet.bw) Received 38 bytes
>> 04:08:36 4 SMTP-195(bnmail1.botsnet.bw) Input Line: MAIL
>> FROM:<[EMAIL PROTECTED]>\r
>> 04:08:36 5 SMTP-195(bnmail1.botsnet.bw) *Status=25
>> 04:08:36 5 SYSTEM {S.0000027304} in work, ref=814, nFresh=4
>> 04:08:36 5 ROUTER Input: HomeRevenue57(excite.com)
>> 04:08:36 5 ROUTER Parser: [EMAIL PROTECTED] ->
>> HomeRevenue57(excite.com)
>> 04:08:36 5 SMTP-195(bnmail1.botsnet.bw) *Status=26
>> 04:08:37 4 SMTP-195(bnmail1.botsnet.bw) Sending 250
>> <[EMAIL PROTECTED]> sender accepted\r\n
>> 04:08:37 5 SMTP-195(bnmail1.botsnet.bw) OT 48 of 48 bytes sent, Flags=0
>> 04:08:37 5 SMTP-195(bnmail1.botsnet.bw) *Status=23
>> 04:08:38 5 SMTP-195(bnmail1.botsnet.bw) Received 42 bytes
>> 04:08:38 4 SMTP-195(bnmail1.botsnet.bw) Input Line: RCPT
>> TO:<[EMAIL PROTECTED]>\r
>> 04:08:38 5 ROUTER Input: andrzej%platon.c.u-tokyo.ac.jp(Blacklisted)
>> 04:08:38 5 ROUTER Parser: andrzej%platon.c.u-tokyo.ac.jp@Blacklisted ->
>> andrzej%platon.c.u-tokyo.ac.jp(Blacklisted)
>> 04:08:38 1 SMTP-195(bnmail1.botsnet.bw) SPAM? Recipient
>> '<[EMAIL PROTECTED]>' rejected: sending host is
>> blacklisted, "See <http://www.ordb.org/> for more information."
>> 04:08:38 4 SMTP-195(bnmail1.botsnet.bw) Sending 591 No mail will be
>> accepted. Your host is in a Black List. See <http://www.ordb.org/> for
>> more information.\r\n
>> 04:08:38 5 SMTP-195(bnmail1.botsnet.bw) OT 110 of 110 bytes sent, 
>> Flags=0
>> 04:08:39 5 SYSTEM {S.0000027310} created, ref=758, nFresh=5
>> 04:08:39 5 SMTP-195(bnmail1.botsnet.bw) Received 6 bytes
>> 04:08:39 4 SMTP-195(bnmail1.botsnet.bw) Input Line: QUIT\r
>> 04:08:39 5 SMTP-195(bnmail1.botsnet.bw) *Status=29
>> 04:08:40 4 SMTP-195(bnmail1.botsnet.bw) Sending 221 platon.c.u-
>> tokyo.ac.jp closing connection\r\n
> [skipped]
>
>
> Best regards,
> Dmitry Akindinov
>
> =======================================================================
> When answering to letters sent to you by the tech.support staff, make
> sure the original message you have received is included into your reply.
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <[EMAIL PROTECTED]>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
>
>

Andrzej Kozlowski
Toyama International University
JAPAN
http://platon.c.u-tokyo.ac.jp/andrzej/

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>
Re: How did this Spam get through?

Reply via email to
