[Dshield] Persistent open relay scan...

Jens Knoell jens at ing.twinwave.net
Thu Jul 18 09:00:07 GMT 2002


Does anyone know what generates mails like this:
----<Start of curious mail>----
Return-Path: <g>
Received: from p5080fa84.dip.t-dialin.net (p5080FA84.dip.t-dialin.net
[80.128.250.132])
        by vega.ing.twinwave.net (8.11.0/8.11.0) with SMTP id g6I8M4Z24746
        for <vega.ing.twinwave.net at p5080fa84.dip.t-dialin.net>; Thu, 18 Jul
2002 10:22:04 +0200
Date: Thu, 18 Jul 2002 10:22:04 +0200
From: 195.96.33.249 at p5080fa84.dip.t-dialin.net
Message-Id: <200207180822.g6I8M4Z24746 at vega.ing.twinwave.net>
Subject: Do not delete this mail

vega.ing.twinwave.net and [195.96.33.249] invite you to a open mailrelay
----<End of curious mail>----

The mentioned server is mine, and it properly rejects the mail(s). I've got
like 10.000 of them in my mail spool right now, and I'd like to know if
anyone knows the used program.

Another question: Does anyone know of a good way to purge the (sendmail)
mailspool from that crap? I can't purge by sender/recipient, but the subject
as well as the body (see above) are always identical. Just how to kill the
unwanted spool files?

I do know that I lately pissed a few spammers off royally (including death
threats and other funnies), so I am not surprised.

Thanks in advance
Jens




More information about the list mailing list