[Dshield] Snake Mail Originator

Thomas Liston tliston at premmag.com
Tue May 21 20:24:56 GMT 2002


The actual code doesn't specify a "From" address.  I would assume it 
defaults to something within clemail.exe.  Here are some "guilty-
looking" strings pulled from there:

000537E4   004537E4      0   clemail at crosswinds.net
000537FC   004537FC      0   commandlineemail at crosswinds.net
0005381C   0045381C      0   mail.crosswinds.net
00053830   00453830      0   clemail at nettaxi.com
00053844   00453844      0   commandlineemailer at nettaxi.com
00053864   00453864      0   mail1.nettaxi.com
00053878   00453878      0   clemail at softhome.net
00053890   00453890      0   clemail
00053898   00453898      0   commandlineemail at softhome.net

-TL

On 21 May 2002 at 12:53, Coxe, John B. wrote:

> Has anyone looked at the code enough to determine the defined originator
> and/or reply-to address in the ixltd at postone.com mailings.  If the
> compromised systems are sending to a full mailbox and if that mail is
> bouncing, it is not apparently coming back to the infected networks.  Is
> postone a red herring and the reply address the intended destination?
> 
> It would be nice to see the whole code.
> 
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net




More information about the list mailing list