[Dshield] Unidentifiable e-mail

Stephane Grobety security at admin.fulgan.com
Mon Jan 26 18:24:12 GMT 2004


How are you receiving these files ? Via SMTP or POP3 ?

If it's POP3, then I'm betting that you aren't actually seeing the
whole source of the message: the SMTP server should, at least, have
added the "received from" header to the envelope.

If it's SMTP, then it's most likely some spam program that connects
directly to your SMTP server to send it's trash. It's perfectly
feasible to send a message with no headers using, for exemple, the
telnet command with something like this:

RCPT TO:<spammed_user at yourdomain><crlf>
<crlf><crlf>
{spammy message body}
<crlf>.<crlf>

The SMTP server should then add the "received from" header indicating
the IP address and, if it's nice, it will also detect that there is no
"TO" header and add a "for <spammed_user at yourdomain>" to that receive
line.

How do you block these ? Well, it depends on what mail server you're
using but you could check for the presence of a "To:" header (or any
valid header) and systematically reject message that don't have it.

Good luck,
Stephane

BH> Our system is starting to receive e-mail that has no header.  At first I
BH> was getting one a week, now I'm starting to get a couple a day.  I've
BH> asked our anti-spam folks what to do; I've asked my ISP what to do.  No
BH> one has any idea.  So, I thought I'd ask y'all.  Any ideas what they
BH> are, where they are coming from, or how to block them?







More information about the list mailing list