[Dshield] What is this?

Doug White doug at dwhite.ws
Thu Jun 12 04:14:56 GMT 2003


My parser tells me that the header information is incomplete.  All the stuff
about Earthlink seems to be spoofed.

The first one is a spam probe through a well known RoadRunner open email relay
at 24.58.22.18 in New York.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Tim Pierce" <tim at qrsparadigm.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, June 11, 2003 10:23 PM
Subject: RE: [Dshield] What is this?


| I'm seeing this also, and don't recognize it.. A correlation:
|
| ---- body ----
| From: Agnesse Dinesh [mailto:alex at hotmail.com]
| Sent: Wednesday, June 11, 2003 5:20 PM
| To: an_alias at earthlink.net
| Subject: To an_alias at earthlinkusit.net
|
|
| Hello, an_alias at earthlink.net from earthlink.net
| DATE0: Wed Jun 11 17:20:09 2003
| DATE1: Wed Jun 11 17:20:11 2003
| DATE2: Wed Jun 11 17:20:14 2003
| random chars: gfekijuozlre
| random nums: 5263014429
|
| from 64.132.72.81
| fromd 64.132.72.81
| fromd2 64.132.72.81
|
| xxx
| just %
|
| --- headers ---
| Status:  U
| Return-Path: <alex at hotmail.com>
| Received: from fowl.mail.pas.earthlink.net ([207.217.121.50])
| by kestrel (Earthlink/Onemain SMTP Server) with ESMTP id 19q7hu6HE3NZFlp0
| for <me at earthlink.net>; Wed, 11 Jun 2003 08:12:56 -0700 (PDT)
| Received: from kestrel-gp.pocket ([10.4.120.155] helo=kestrel)
| by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1)
| id 19Q7HU-0006wA-00
| for me at earthlink.net; Wed, 11 Jun 2003 08:12:56 -0700
| X-MindSpring-Loop: an_alias at earthlink.net
| Received: from 64.132.72.81 ([64.132.72.81])
| by kestrel (Earthlink/Onemain SMTP Server) with SMTP id 19q7ht5yz3NZFlp0
| for <an_alias at earthlink.net>; Wed, 11 Jun 2003 08:12:53 -0700 (PDT)
| Received: from 64.132.72.81 (64.132.72.81 [64.132.72.81])
|
|
| -----Original Message-----
| From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
| Behalf Of Lux Omni
| Sent: Wednesday, June 11, 2003 10:16 PM
| To: list at dshield.org
| Subject: [Dshield] What is this?
|
|
| What is going on? I have recieved four varients of this (different names and
| numbers) in the last two days. I'll do the message first and then the
| headers
| in case that helps. I've never seen anything like this before. (My name and
| number changed to make it harder on the bots)
|
| ----------  Forwarded Message  ----------
|
| Subject: To me at earthlink.com
| Date: Wed Jun 11 07:48:03 2003
| From: Adrie Dianemarie <jack at yahoo.com>
| To: me at earthlink.com
|
| Hello, me at earthlink.com from earthlink.com
| DATE0: Wed Jun 11 07:48:03 2003
| DATE1: Wed Jun 11 07:48:05 2003
| DATE2: Wed Jun 11 07:48:08 2003
| random chars: lbbqvmiukab
| random nums: 3
|
| from 24.58.22.18
| fromd 24.58.22.18
| fromd2 24.58.22.18
|
| xxx
| just %
|
| -------------------------------------------------------
|
| Status: R
| Return-Path: <jack at yahoo.com>
| Received: from 24.58.22.18 ([24.58.22.18])
|         by emu (EarthLink SMTP Server) with SMTP id 19q7Ie3Mo3NZFnx0
|         for <me at earthlink.com>; Wed, 11 Jun 2003 08:40:33 -0700 (PDT)
| Received: from 24.58.22.18 (24.58.22.18 [24.58.22.18])
|         by 24.58.22.18 (8.12.8p1/8.12.8) with ESMTP id opjiah64492
|         for <me at earthlink.com>; Wed Jun 11 07:48:05 2003
| Date: Wed Jun 11 07:48:03 2003
| From: Adrie Dianemarie <jack at yahoo.com>
| X-Mailer: The Bat! (v1.61) Personal
| Reply-To: Adrie Dianemarie <jack at yahoo.com>
| X-Priority: 3 (Normal)
| Message-ID: <gwequz504089 at yahoo.com>
| To: me at earthlink.com
| Subject: To me at earthlink.com
| MIME-Version: 1.0
| Content-Type: text/plain;
|   charset=us-ascii
| Content-Transfer-Encoding: 7bit
| X-Status: N
|
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
| http://www.dshield.org/mailman/listinfo/list
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|




More information about the list mailing list