[Dshield] List Problem?

jayjwa jayjwa at atr2.ath.cx
Tue Aug 30 03:49:40 GMT 2005


On Sun, 28 Aug 2005, stu wrote:

-> The last 2 posts I have made to the list resulted in me getting a mail
-> back:
-> 
-> Action Taken:
-> The message was quarantined and replaced with a text informing the
-> recipient of the action taken.
-> 
-> To:
-> General DShield Discussion List <list at lists.dshield.org>
-> 
-> From:
-> stu <secmail at patchsupplier.dyndns.org>
-> 
-> Sent:
-> -965133568,29731832
-> 
-> Subject:
-> Re: [Dshield] IRC BotNet Connection Question
-> 
-> Attachment Details:-
-> 
-> Attachment Name: N/A
-> File: Infected.msg
-> Infected? No
-> Repaired? No
-> Blocked? Yes
-> Deleted? No
-> Virus Name:



Yes, the exact same thing happend to me. It appears that someone has made 
a very bad decision to filter the list for common, everyday words. If you 
check the header, you'll see it's not from Dshield, but some other server, 
"naspers" or something to that effect:


Aug 27 09:58:23 atr2 sm-mta[9468]: NOQUEUE: connect from 
mail03.naspers.com [152.111.1.4]

Aug 27 09:58:23 atr2 sm-mta[9468]: j7RDwN0s009468: Milter (milter-regex): 
init success to negotiate

Aug 27 09:58:23 atr2 sm-mta[9468]: j7RDwN0s009468: Milter: connect to 
filters

Aug 27 09:58:28 atr2 sm-mta[9468]: j7RDwN0s009468: 
from=<NAINASSITE01NDSXCH03 at media24.com>, size=5007, class=0, nrcpts=1, 
msgid=<16E8656C063C6D46BA77995C917BB0CA0A037FF7 at ndsxch03.naspers.com>, 
proto=ESMTP, daemon=MTA, relay=mail03.naspers.com [152.111.1.4]

Aug 27 09:58:28 atr2 sm-mta[9468]: j7RDwN0s009468: Milter accept: message

Aug 27 09:58:28 atr2 sm-mta[9470]: j7RDwN0s009468: 
to=<jayjwa at atr2.ath.cx>, delay=00:00:02, xdelay=00:00:00, mailer=local, 
pri=35212, dsn=2.0.0, stat=Sent

Aug 27 09:58:28 atr2 sm-mta[9470]: j7RDwN0s009468: done; delay=00:00:02, 
ntries=1


I simply banned the server (another plus of running your own mailserver). 
Good thing too, because not even a full hour later, there it was again
spamming out it's bounces:


Aug 27 10:32:39 atr2 sm-mta[9541]: NOQUEUE: connect from 
mail03.naspers.com [152.111.1.4]

Aug 27 10:32:39 atr2 sm-mta[9541]: ruleset=check_relay, 
arg1=mail03.naspers.com, arg2=152.111.1.4, relay=mail03.naspers.com 
[152.111.1.4], reject=550 5.0.0 [BANNED] for malfunctioning AV scanner 
which spams bounces.


To top it all off, there's a MS attachment at the end, something which 
made sense neither base64'ed or de-base64'ed.






More information about the list mailing list