[Dshield] Unidentifiable e-mail

Betsy Horn Bhorn at hfblaw.com
Mon Jan 26 19:26:16 GMT 2004


Thanks all who responded.  I did send the example with my initial post,
but the list stripped it.  I then sent it to Johannes directly. 
Hopefully, he can post it if necessary.  Our email is GroupWise 6.5, via
smtp.  We use GWAVA to block spam.  GroupWise usually provides the
Message, Text.htm if it's html, and Mime.822 attachments with every
legitimate message.  These irritants come as Message only from a bogus
yahoo address.  No subject line.  No message.  No other attachments.  

It appears Stephane has probably nailed it, and I will try your
suggestions.  

Thanks again.  

Betsy

>>> security at admin.fulgan.com 1/26/2004 12:24:12 PM >>>
How are you receiving these files ? Via SMTP or POP3 ?

If it's POP3, then I'm betting that you aren't actually seeing the
whole source of the message: the SMTP server should, at least, have
added the "received from" header to the envelope.

If it's SMTP, then it's most likely some spam program that connects
directly to your SMTP server to send it's trash. It's perfectly
feasible to send a message with no headers using, for exemple, the
telnet command with something like this:

RCPT TO:<spammed_user at yourdomain><crlf>
<crlf><crlf>
{spammy message body}
<crlf>.<crlf>

The SMTP server should then add the "received from" header indicating
the IP address and, if it's nice, it will also detect that there is no
"TO" header and add a "for <spammed_user at yourdomain>" to that receive
line.

How do you block these ? Well, it depends on what mail server you're
using but you could check for the presence of a "To:" header (or any
valid header) and systematically reject message that don't have it.

Good luck,
Stephane

BH> Our system is starting to receive e-mail that has no header.  At
first I
BH> was getting one a week, now I'm starting to get a couple a day. 
I've
BH> asked our anti-spam folks what to do; I've asked my ISP what to do.
 No
BH> one has any idea.  So, I thought I'd ask y'all.  Any ideas what
they
BH> are, where they are coming from, or how to block them?




_______________________________________________
list mailing list
list at dshield.org 
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list