[Intrusions] Weird spam message headers

Scott Fendley scottf at uark.edu
Thu Dec 23 08:51:20 GMT 2004 

Sun Java System Messaging Server, if i remember correctly, is 
the  replacement for the Iplanet Messaging Server.  We have been using the 
iplanet messaging Server for a number of years. One of the features of the 
messaging server is that it allows you to run smtp, imap, pop3, and 
http/webmail based access to email in one package.  I did a massive search 
through all of the email i have received in the past 3 years and only had 
26 hits.   The vast majority of these came from a mailing list from Sun 
systems admin mailing list and a few other Univs that have moved on to the 
new version.  It appears that sun moved to this server during the summer at 
some non-US research sites .  The remainder were a few spams like what you 
have seen.

but that is not many overall.  I would suspect that the spammers are 
breaking passwords on systems running this software, and then relaying 
their spam through...but don't know for sure that this is the case.

Wish I could help you more.


At 10:04 PM 12/21/2004, broyds at rogers.com wrote:
>  I have received a number of blank email messages (just headers, but no 
> explicit
>To: address) today that all seem to have a common thread.
>The have the Received line immediately before the Trojaned ADSL host that sent
>them to my ISP with this in line (although ID differs, it is of similar 
>format):
>
>(Sun Java System Messaging Server 6.1 HotFix 0.01
>  (built Jun 24 2004)) with ESMTP id <0U6K00S[6
>
>
>Does anyone know what this server is and what security problems it has?
>
>
>Here are some header sets (actual delivery address blanked out):
>=========================================================================
>-Apparently-To: xxxx at rogers.com via 206.190.37.207; Tue, 21 Dec 2004 14:48:23
>-0800
>X-YahooFilteredBulk: 168.226.90.41
>Authentication-Results: mta100.rog.mail.re2.yahoo.com
>   domainkeys=neutral (no sig)
>X-Originating-IP: [168.226.90.41]
>Return-Path: <lwogrt at omninet.net.cy>
>Received: from 168.226.90.41  (HELO 168-226-90-41.speedy.com.ar) 
>(168.226.90.41)
>   by mta100.rog.mail.re2.yahoo.com with SMTP; Tue, 21 Dec 2004 14:48:20 -0800
>Received: from caspian.sy163.net ([194.149.10.28])
>  by confectionery.sy163.net (Sun Java System Messaging Server 6.1 HotFix 0.01
>  (built Jun 24 2004)) with ESMTP id <0U6K00S[6
>
>========================================================================
>X-Apparently-To: xxxx at rogers.com via 206.190.37.233; Tue, 21 Dec 2004 10:56:54
>-0800
>Authentication-Results: mta103.rog.mail.re2.yahoo.com
>   domainkeys=neutral (no sig)
>X-Originating-IP: [200.120.40.25]
>Return-Path: <cecvpkupulskfr at ffis.com>
>Received: from 200.120.40.25  (HELO CM128-lflo0-40-25.cm.vtr.net)
>(200.120.40.25)
>   by mta103.rog.mail.re2.yahoo.com with SMTP; Tue, 21 Dec 2004 10:56:51 -0800
>Received: from caper.pakistan.com ([63.250.0.6])
>  by sophoclean.pakistan.com (Sun Java System Messaging Server 6.1 HotFix 0.01
>  (built Jun 24 2004)) with ESMTP id <0C4A00P[6
>
>================================================================================
>=
>X-Apparently-To: XXXX at rogers.com via 206.190.37.209; Tue, 21 Dec 2004 15:41:04
>-0800
>X-YahooFilteredBulk: 201.133.202.17
>Authentication-Results: mta109.rog.mail.re2.yahoo.com
>   domainkeys=neutral (no sig)
>X-Originating-IP: [201.133.202.17]
>Return-Path: <hxinttlm at bisons.com>
>Received: from 201.133.202.17  (HELO
>customer-201-133-202-17.prod-infinitum.com.mx) (201.133.202.17)
>   by mta109.rog.mail.re2.yahoo.com with SMTP; Tue, 21 Dec 2004 15:41:03 -0800
>Received: from attention.gol.ge ([216.157.146.64])
>  by whippany.gol.ge (Sun Java System Messaging Server 6.1 HotFix 0.01
>  (built Jun 24 2004)) with ESMTP id <0I2S00I[6
>
>================================================================================
>==
>X-Apparently-To: XXXX at rogers.com via 206.190.37.232; Tue, 21 Dec 2004 14:47:40
>-0800
>X-YahooFilteredBulk: 200.95.48.60
>Authentication-Results: mta105.rog.mail.re2.yahoo.com
>   domainkeys=neutral (no sig)
>X-Originating-IP: [200.95.48.60]
>Return-Path: <lwogrt at omninet.net.cy>
>Received: from 200.95.48.60  (HELO dsl-200-95-48-60.prod-infinitum.com.mx)
>(200.95.48.60)
>   by mta105.rog.mail.re2.yahoo.com with SMTP; Tue, 21 Dec 2004 14:47:40 -0800
>Received: from caspian.sy163.net ([194.149.10.28])
>  by confectionery.sy163.net (Sun Java System Messaging Server 6.1 HotFix 0.01
>  (built Jun 24 2004)) with ESMTP id <0U6K00S[6
>
>
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list