[Dshield] Snake Mail Originator

Johannes Ullrich jullrich at sans.org
Tue May 21 20:14:24 GMT 2002


I got a delayed bounce. So I don't think the bounces go anywhere. However, the bounce came from a procmail style script. It could be that some other rule is forwarding these emails.

For the code analysis see:

http://www.incidents.org/diary/diary.php?id=157

On Tue, 21 May 2002 12:53:17 -0700
"Coxe, John B." <JOHN.B.COXE at saic.com> wrote:

> Has anyone looked at the code enough to determine the defined originator
> and/or reply-to address in the ixltd at postone.com mailings.  If the
> compromised systems are sending to a full mailbox and if that mail is
> bouncing, it is not apparently coming back to the infected networks.  Is
> postone a red herring and the reply address the intended destination?

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection                                               join http://www.dshield.org




More information about the list mailing list