[Dshield] New spammer tag

jayjwa jayjwa at atr2.ath.cx
Thu Dec 29 11:21:55 GMT 2005



One more for the filter. I've been getting alot of these lately- note the HELO 
this spammer chooses:


Dec 29 05:09:26 atr2 sm-mta[6225]: NOQUEUE: connect from 
14.109.dsl.mel.iprimus.net.au [58.178.144.14]

Dec 29 05:09:26 atr2 sm-mta[6225]: jBTA9QH3006225: Milter (milter-regex): init 
success to negotiate

Dec 29 05:09:26 atr2 sm-mta[6225]: jBTA9QH3006225: Milter: connect to filters

Dec 29 05:09:30 atr2 sm-mta[6225]: jBTA9QH3006225: Milter: helo=friend, 
reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, 
reporting to ISP.



I just added this rule after I got a bunch of spam for rip-off software. Since 
their choosing to use such an obvious marker as HELO="friend", they likely are 
a new(er) spam gang working together. You shouldn't get any false positives 
off of this one either, I don't know of any site that would use just "friend" 
as their HELO. In fact, I'm betting it's malware, and the owner doesn't know 
of it. I'd like to find out what it is, actually.

p0f thinks the system is:

<Thu Dec 29 05:09:23 2005> 58.178.144.14:1848 - Windows 2000 SP2+, XP SP1 
(seldom 98 4.10.2222) -> 64.179.15.224:25 (distance 23, link: pppoe (DSL))


p0f is usually quite accurate; a Windows DSL system running a mail server? 
Possible, but not as likely as a Unix/Linux system since Windows doesn't come 
with a mailserver in home versions.


-jayjwa




More information about the list mailing list