[Dshield] PDF Spam Take #2
jayjwa
jayjwa at atr2.ath.cx
Sun Nov 4 20:31:31 GMT 2007
This flurry showed up today after being clear of this stuff for weeks now. At
least this time they are spoofing my main host.
...
Nov 4 15:11:20 atr2 sm-mta[1408]: NOQUEUE: connect from relay02.mail-hub.dodo.com.au [202.136.32.45]
Nov 4 15:11:20 atr2 sm-mta[1408]: lA4KBKFq001408: Milter (milter-regex): init success to negotiate
Nov 4 15:11:20 atr2 sm-mta[1408]: lA4KBKFq001408: Milter: connect to filters
Nov 4 15:11:24 atr2 sm-mta[1408]: lA4KBKFq001408: milter=milter-regex, action=mail, discard
Nov 4 15:11:24 atr2 sm-mta[1408]: lA4KBKFq001408: Milter: from=<>, discard
Nov 4 15:11:25 atr2 sm-mta[1408]: lA4KBKFq001408: from=<>, size=2279, class=0, nrcpts=1, msgid=<E1IolNr-0004JY-0J at mail01.mail-hub.dodo.com.au>, proto=ESMTP, daemon=MTA, relay=relay02.mail-hub.dodo.com.au [202.136.32.45]
Nov 4 15:11:25 atr2 sm-mta[1408]: lA4KBKFq001408: Milter accept: message
Nov 4 15:11:25 atr2 sm-mta[1408]: lA4KBKFq001408: to=<meredith at atr2.ath.cx>, delay=00:00:01, pri=32279, stat=discarded
Nov 4 15:11:26 atr2 sm-mta[1409]: NOQUEUE: connect from lcwebserver.com [74.86.106.210] (may be forged)
Nov 4 15:11:26 atr2 sm-mta[1409]: lA4KBQGw001409: Milter (milter-regex): init success to negotiate
Nov 4 15:11:26 atr2 sm-mta[1409]: lA4KBQGw001409: Milter: connect to filters
Nov 4 15:11:30 atr2 sm-mta[1409]: lA4KBQGw001409: milter=milter-regex, action=mail, discard
Nov 4 15:11:30 atr2 sm-mta[1409]: lA4KBQGw001409: Milter: from=<>, discard
Nov 4 15:11:30 atr2 sm-mta[1409]: lA4KBQGw001409: to=<uncles at atr2.ath.cx>, delay=00:00:00, pri=0, stat=aborted by sender
Nov 4 15:11:30 atr2 sm-mta[1409]: lA4KBQGw001409: from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=lcwebserver.com [74.86.106.210] (may be forged)
Nov 4 15:11:32 atr2 sm-mta[1414]: NOQUEUE: connect from mail.wescanric.org [66.160.44.212] (may be forged)
Nov 4 15:11:32 atr2 sm-mta[1414]: lA4KBWdi001414: Milter (milter-regex): init success to negotiate
Nov 4 15:11:32 atr2 sm-mta[1414]: lA4KBWdi001414: Milter: connect to filters
Nov 4 15:11:36 atr2 sm-mta[1414]: lA4KBWdi001414: milter=milter-regex, action=mail, discard
Nov 4 15:11:36 atr2 sm-mta[1414]: lA4KBWdi001414: Milter: from=<>, discard
Nov 4 15:11:36 atr2 sm-mta[1414]: lA4KBWdi001414: from=<>, size=2646, class=0, nrcpts=1, msgid=<000601c81f1e$87d9ffb0$acdb0553 at koupcnaa328zv8>, proto=ESMTP, daemon=MTA, relay=mail.wescanric.org [66.160.44.212] (may be forged)
Nov 4 15:11:36 atr2 sm-mta[1414]: lA4KBWdi001414: Milter accept: message
Nov 4 15:11:36 atr2 sm-mta[1414]: lA4KBWdi001414: to=<waleskaValdez at atr2.ath.cx>, delay=00:00:00, pri=32646, stat=discarded
Nov 4 15:11:37 atr2 sm-mta[1413]: NOQUEUE: connect from 2163.claytonsd.k12.wi.us [64.33.162.67]
Nov 4 15:11:37 atr2 sm-mta[1413]: lA4KBb6m001413: Milter (milter-regex): init success to negotiate
Nov 4 15:11:37 atr2 sm-mta[1413]: lA4KBb6m001413: Milter: connect to filters
Nov 4 15:11:40 atr2 sm-mta[1416]: NOQUEUE: connect from 2163.claytonsd.k12.wi.us [64.33.162.67]
Nov 4 15:11:40 atr2 sm-mta[1416]: lA4KBeir001416: Milter (milter-regex): init success to negotiate
Nov 4 15:11:40 atr2 sm-mta[1416]: lA4KBeir001416: Milter: connect to filters
Nov 4 15:11:41 atr2 sm-mta[1413]: lA4KBb6m001413: milter=milter-regex, action=mail, discard
Nov 4 15:11:41 atr2 sm-mta[1413]: lA4KBb6m001413: Milter: from=<>, discard
Nov 4 15:11:42 atr2 sm-mta[1413]: lA4KBb6m001413: from=<>, size=1253, class=0, nrcpts=1, msgid=<fc.000f8322009e80593b9aca00e53bde99.9e805a at claytonsd.k12.wi.us>, proto=ESMTP, daemon=MTA, relay=2163.claytonsd.k12.wi.us [64.33.162.67]
Nov 4 15:11:42 atr2 sm-mta[1413]: lA4KBb6m001413: Milter accept: message
Nov 4 15:11:42 atr2 sm-mta[1413]: lA4KBb6m001413: to=<fawen at atr2.ath.cx>, delay=00:00:01, pri=31253, stat=discarded
Nov 4 15:11:43 atr2 sm-mta[1416]: lA4KBeir001416: milter=milter-regex, action=mail, discard
Nov 4 15:11:43 atr2 sm-mta[1416]: lA4KBeir001416: Milter: from=<>, discard
Nov 4 15:11:44 atr2 sm-mta[1416]: lA4KBeir001416: from=<>, size=1254, class=0, nrcpts=1, msgid=<fc.000f8322009e805b3b9aca000e10e809.9e805c at claytonsd.k12.wi.us>, proto=ESMTP, daemon=MTA, relay=2163.claytonsd.k12.wi.us [64.33.162.67]
Nov 4 15:11:44 atr2 sm-mta[1416]: lA4KBeir001416: Milter accept: message
Nov 4 15:11:44 atr2 sm-mta[1416]: lA4KBeir001416: to=<pappada at atr2.ath.cx>, delay=00:00:01, pri=31254, stat=discarded
Nov 4 15:12:10 atr2 sm-mta[1419]: NOQUEUE: connect from anchor-bounce-1.mail.thus.net [194.217.242.94]
Nov 4 15:12:10 atr2 sm-mta[1419]: lA4KCAsR001419: Milter (milter-regex): init success to negotiate
Nov 4 15:12:10 atr2 sm-mta[1419]: lA4KCAsR001419: Milter: connect to filters
Nov 4 15:12:14 atr2 sm-mta[1419]: lA4KCAsR001419: milter=milter-regex, action=mail, discard
Nov 4 15:12:14 atr2 sm-mta[1419]: lA4KCAsR001419: Milter: from=<>, discard
Nov 4 15:12:15 atr2 sm-mta[1419]: lA4KCAsR001419: from=<>, size=3770, class=0, nrcpts=1, msgid=<jUDhpjdiC0003c102 at rlserver.rldomain.local>, proto=ESMTP, daemon=MTA, relay=anchor-bounce-1.mail.thus.net [194.217.242.94]
Nov 4 15:12:15 atr2 sm-mta[1419]: lA4KCAsR001419: Milter accept: message
Nov 4 15:12:15 atr2 sm-mta[1419]: lA4KCAsR001419: to=<Hemel at atr2.ath.cx>, delay=00:00:01, pri=33770, stat=discarded
Nov 4 15:12:42 atr2 sm-mta[1427]: NOQUEUE: connect from mail.lesiteimmobilier.com [193.47.141.155]
Nov 4 15:12:42 atr2 sm-mta[1427]: lA4KCgOs001427: Milter (milter-regex): init success to negotiate
Nov 4 15:12:42 atr2 sm-mta[1427]: lA4KCgOs001427: Milter: connect to filters
Nov 4 15:12:46 atr2 sm-mta[1427]: lA4KCgOs001427: milter=milter-regex, action=mail, discard
Nov 4 15:12:46 atr2 sm-mta[1427]: lA4KCgOs001427: Milter: from=<>, discard
Nov 4 15:12:47 atr2 sm-mta[1427]: lA4KCgOs001427: from=<>, size=3316, class=0, nrcpts=1, msgid=<YCPStmdry00051856 at 4400-1.lesiteimmobilier.com>, proto=ESMTP, daemon=MTA, relay=mail.lesiteimmobilier.com [193.47.141.155]
Nov 4 15:12:47 atr2 sm-mta[1427]: lA4KCgOs001427: Milter accept: message
Nov 4 15:12:47 atr2 sm-mta[1427]: lA4KCgOs001427: to=<Hurrellkohma at atr2.ath.cx>, delay=00:00:01, pri=33316, stat=discarded
Nov 4 15:13:46 atr2 sm-mta[1442]: NOQUEUE: connect from barracuda.comstockhomebuilding.com [209.8.22.3] (may be forged)
Nov 4 15:13:46 atr2 sm-mta[1442]: lA4KDkgS001442: Milter (milter-regex): init success to negotiate
Nov 4 15:13:46 atr2 sm-mta[1442]: lA4KDkgS001442: Milter: connect to filters
Nov 4 15:13:50 atr2 sm-mta[1442]: lA4KDkgS001442: milter=milter-regex, action=mail, discard
Nov 4 15:13:50 atr2 sm-mta[1442]: lA4KDkgS001442: Milter: from=<>, discard
Nov 4 15:13:50 atr2 sm-mta[1442]: lA4KDkgS001442: from=<>, size=2527, class=0, nrcpts=1, msgid=<20071104195340.F39E6200009A at baracuda.comstockhomebuilding.com>, proto=ESMTP, daemon=MTA, relay=barracuda.comstockhomebuilding.com [209.8.22.3] (may be forged)
Nov 4 15:13:50 atr2 sm-mta[1442]: lA4KDkgS001442: Milter accept: message
Nov 4 15:13:50 atr2 sm-mta[1442]: lA4KDkgS001442: to=<Veihl at atr2.ath.cx>, delay=00:00:00, pri=32527, stat=discarded
Nov 4 15:13:59 atr2 sm-mta[1440]: NOQUEUE: connect from [195.230.86.89]
Nov 4 15:13:59 atr2 sm-mta[1440]: lA4KDxhw001440: Milter (milter-regex): init success to negotiate
Nov 4 15:13:59 atr2 sm-mta[1440]: lA4KDxhw001440: Milter: connect to filters
Nov 4 15:14:03 atr2 sm-mta[1440]: lA4KDxhw001440: milter=milter-regex, action=mail, discard
Nov 4 15:14:03 atr2 sm-mta[1440]: lA4KDxhw001440: Milter: from=<>, discard
Nov 4 15:14:04 atr2 sm-mta[1440]: lA4KDxhw001440: from=<>, size=3828, class=0, nrcpts=1, msgid=<vX37J6S9k00068a42 at mx2.fapmc.ru>, proto=ESMTP, daemon=MTA, relay=[195.230.86.89]
Nov 4 15:14:04 atr2 sm-mta[1440]: lA4KDxhw001440: Milter accept: message
Nov 4 15:14:04 atr2 sm-mta[1440]: lA4KDxhw001440: to=<Sebagvufn at atr2.ath.cx>, delay=00:00:01, pri=33828, stat=discarded
Nov 4 15:14:37 atr2 sm-mta[1446]: NOQUEUE: connect from service66-11-114-19.serverprovider.com [66.11.114.19] (may be forged)
Nov 4 15:14:37 atr2 sm-mta[1446]: lA4KEbIS001446: Milter (milter-regex): init success to negotiate
Nov 4 15:14:37 atr2 sm-mta[1446]: lA4KEbIS001446: Milter: connect to filters
Nov 4 15:14:39 atr2 sm-mta[1448]: NOQUEUE: connect from hpsmtp-eml15.kpnxchange.com [213.75.38.115]
Nov 4 15:14:39 atr2 sm-mta[1448]: lA4KEdT4001448: Milter (milter-regex): init success to negotiate
Nov 4 15:14:39 atr2 sm-mta[1448]: lA4KEdT4001448: Milter: connect to filters
Nov 4 15:14:40 atr2 sm-mta[1446]: lA4KEbIS001446: milter=milter-regex, action=mail, discard
Nov 4 15:14:40 atr2 sm-mta[1446]: lA4KEbIS001446: Milter: from=<>, discard
Nov 4 15:14:41 atr2 sm-mta[1446]: lA4KEbIS001446: to=<Lemmon at atr2.ath.cx>, delay=00:00:00, pri=0, stat=aborted by sender
Nov 4 15:14:41 atr2 sm-mta[1446]: lA4KEbIS001446: from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=service66-11-114-19.serverprovider.com [66.11.114.19] (may be forged)
Nov 4 15:14:43 atr2 sm-mta[1448]: lA4KEdT4001448: milter=milter-regex, action=mail, discard
Nov 4 15:14:43 atr2 sm-mta[1448]: lA4KEdT4001448: Milter: from=<>, discard
Nov 4 15:14:44 atr2 sm-mta[1448]: lA4KEdT4001448: from=<>, size=3941, class=0, nrcpts=1, msgid=<EwWRXMuPh0000025a at adromi.nl>, proto=ESMTP, daemon=MTA, relay=hpsmtp-eml15.kpnxchange.com [213.75.38.115]
Nov 4 15:14:44 atr2 sm-mta[1448]: lA4KEdT4001448: Milter accept: message
Nov 4 15:14:44 atr2 sm-mta[1448]: lA4KEdT4001448: to=<Arniesaso at atr2.ath.cx>, delay=00:00:01, pri=33941, stat=discarded
...
I haven't actually seen the payload of one of these yet, but it looks like the
PDF Spam that had my domain spoofed as the sender a few months back. Those
hosts took the mail, then bounced it "back" to me (only I didn't send it to
begin with).
It looks bot-sent. I'd love to see the binary for it, if anyone has collected
one.
More information about the list
mailing list