From: Jason Heiser [mailto:[EMAIL PROTECTED] > Subject: Re: Spamtrap detectors? > > I have a wildcard for my domain ([EMAIL PROTECTED]) and I've received > three of these today. Here's an example of one: > > > Return-Path: <[EMAIL PROTECTED]> > > Received: from murder ([unix socket]) > > by kubrick.heiser.org (Cyrus v2.2.12-OS X 10.3) with LMTPA; > > Mon, 19 Feb 2007 17:46:29 -0600 > > X-Sieve: CMU Sieve 2.2 > > Received: from localhost (localhost [127.0.0.1]) > > by kubrick.heiser.org (Postfix) with ESMTP id BB3E3278BE5 > > for <[EMAIL PROTECTED]>; Mon, 19 Feb 2007 23:46:28 > +0000 (GMT) > > X-Virus-Scanned: amavisd-new at heiser.org > > X-Spam-Score: 0 > > X-Spam-Level: > > X-Spam-Status: No, score=0 required=5 tests=[none] > > Received: from kubrick.heiser.org ([127.0.0.1]) > > by localhost (kubrick.heiser.org [127.0.0.1]) (amavisd-new, port > > 10024) > > with ESMTP id FcwCXEyXZqMa for <[EMAIL PROTECTED]>; > > Mon, 19 Feb 2007 17:46:20 -0600 (CST) > > Received: from beta.gntech.pl (unknown [82.114.186.89]) > > by kubrick.heiser.org (Postfix) with ESMTP id F0265278BD6 > > for <[EMAIL PROTECTED]>; Mon, 19 Feb 2007 17:46:18 > -0600 (CST) > > Received: from rccchurch.org (HELO rccchurch.org) ([66.84.15.246]) > > by t5sc9.rccchurch.org with ESMTP id ; Fri, 9 Sep 2005 13:52:51 > > -0180 > > Received: from pb.dmu.ac.uk ([124.132.49.137]) > > by x1gpo.dna.com.br (Sun Java System Messaging Server 6.1 HotFix > > 0.07 (built > > Jul 9 2006)) with ESMTP id > > <[EMAIL PROTECTED]> for > > [EMAIL PROTECTED]; Fri, 9 Sep 2005 13:52:51 -0180 (IST) > > Date: Fri, 9 Sep 2005 13:52:51 -0180 > > From: "Leighna Hordatt" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: Leighna. > > Message-ID: <[EMAIL PROTECTED]> > > MIME-Version: 1.0 > > Content-Type: text/plain; charset="us-ascii" > > Content-Transfer-Encoding: quoted-printable > > > > Hi > > How are you ? Call me. > > activities > > Poor you, i don't even think how much spam you are recive. > > Gervasio said her > > 6D7174796A6E6A6D6E6A33776A716E727368456A7877746C > > So the prevailing theory is that these messages are attempts to find > domains that can be abused for sender address forgery? I wonder how > these wretched villains (spammers) are tracking this. Do you think > they're sitting on compromised mail servers and earmarking domains > from which they receive "250 OK" for obviously non-existent e-mail > addresses?
Right. My own thought about these messages is that they carry unique content, so the spammers may just wait for a bounce message. They could eventually remove from their lists the servers for which they got a bounce because the message is very short and can easily fit in a DSN (with its unique code). Messages not triggering a DSN may easily be either wildcarded or misconfigured, which means the domains they host may be used for From: forgery and/or they may be inspected to see if they can act as open proxies, you never know... I did let these messages in and reported them to dcc, razor, pyzor and spamcop. When the flow stopped, I simply removed the catchthismail@ wildcard from my MXes. If they are going to forge addresses from one of my domains, they would get surprised... :) Giampaolo > Jason Heiser > HEISER.ORG POSTMASTER
