[Dshield] New spammer tag
jayjwa at atr2.ath.cx
Thu Dec 29 11:21:55 GMT 2005
One more for the filter. I've been getting alot of these lately- note the HELO
this spammer chooses:
Dec 29 05:09:26 atr2 sm-mta: NOQUEUE: connect from
Dec 29 05:09:26 atr2 sm-mta: jBTA9QH3006225: Milter (milter-regex): init
success to negotiate
Dec 29 05:09:26 atr2 sm-mta: jBTA9QH3006225: Milter: connect to filters
Dec 29 05:09:30 atr2 sm-mta: jBTA9QH3006225: Milter: helo=friend,
reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged,
reporting to ISP.
I just added this rule after I got a bunch of spam for rip-off software. Since
their choosing to use such an obvious marker as HELO="friend", they likely are
a new(er) spam gang working together. You shouldn't get any false positives
off of this one either, I don't know of any site that would use just "friend"
as their HELO. In fact, I'm betting it's malware, and the owner doesn't know
of it. I'd like to find out what it is, actually.
p0f thinks the system is:
<Thu Dec 29 05:09:23 2005> 220.127.116.11:1848 - Windows 2000 SP2+, XP SP1
(seldom 98 4.10.2222) -> 18.104.22.168:25 (distance 23, link: pppoe (DSL))
p0f is usually quite accurate; a Windows DSL system running a mail server?
Possible, but not as likely as a Unix/Linux system since Windows doesn't come
with a mailserver in home versions.
More information about the list