On 06/12/02 at 12:27, Robin Colgrove wrote:
> I have been running SIMS for a few years but just over the past month or
> so started to get one or two messages a day with what looked like a
> randomly generated (or harvested) sender and subject, with a MIME
> attachment. I thought it was yet another stupid windows virus and did
> not make much of it. I usually just do a bulk delete of all unread
> messages once every few days.
>
> Today, however, the "sender" on the message was _me_, or rather the
> administrative account for SIMS on this machine,
> [EMAIL PROTECTED], and this got my attention.
It's trivially easy to make the sender of a message anything you want. I've
also been getting spam lately, from a variety of sources, that uses the
recipient (i.e., some address at which I get mail) as the sender (either
the envelope sender or the 'To' address or both). I've just assumed that
it's a simple obfuscation that attempts to bypass spam filters.
> I never send mail from Postmaster, and certainly wouldn't send with the
> subject "honey" (that came with this message) and I don't send
> unsolicited attachments to anyone. How this spammer got the
> Postmaster@louis address, I do not know.
Well, 'postmaster' is the only account that every SMTP server is required
to have by the RFCs. So if a spammer (or his spamware) knows that
louis.bidmc.harvard.edu is running a mail server, it's a pretty safe bet
that [EMAIL PROTECTED] is a valid address. Still, as an
aside, it's always amazed me that spammers don't cull postmaster addresses
out of their databases -- it seems to me to be a sure-fire way of drawing
attention to the spammer and getting his spewage blocked by any mail server
admin that cares at all about stopping spam. Then again, most spammers
don't seem terribly bright.
> I looked in the mail logs and the spams seemed to be associated with a
> host called "ratree". The log looks like:
>
> 12:08:11 0 SYSTEM The current date is Wednesday, June 12, 2002
> 12:08:11 2 SMTP-808(ratree.psu.ac.th) {S.0000085626} received, 149578
> bytes
> 12:08:11 2 SYSTEM [S.0000085626]
> <[EMAIL PROTECTED]> 0+1
> From:[EMAIL PROTECTED]
> 12:08:12 2 SYSTEM(POP) [S.0000085626] delivered to (robin)
> 12:08:12 2 SYSTEM [S.0000085626] deleted
>
> Has anyone heard of this outfit?
> Any advice on how to respond?
APNIC's Whois says that the IP address for ratree.psu.ac.th belongs to
Prince of Songkla University in Thailand. Asian educational institutions
seem to be a favorite target for spammers looking for open relays and
proxies, probably because they're relatively lax about security. Without
looking into it further, I'd guess that ratree.psu.ac.th is either an open
relay or an open proxy which is simply being exploited by your spammer,
rather than having any actual association with him.
--
Christopher Bort | [EMAIL PROTECTED]
Webmaster, Global Homes | [EMAIL PROTECTED]
<http://www.globalhomes.com/>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
