[Dshield] Probing for catch alls.
cef at optus.net
Sat Jun 25 02:36:57 GMT 2005
On Saturday 25 June 2005 04:22, Joshua wrote:
> I've been getting what appears to be probes for catch alls to both
> personal and business domains. I'm sure it's just some jerk spammer, but
> was wondering why they'd want to know.
Trimming the fat from their lists perhaps?
Firstly, they will know from the SMTP level if the address has bounced.
Secondly, they may have embedded something in the message that will activate
on view (eg: html img tags - many email clients still load external images),
that pull down a unique image URL (may even be a 1x1 transparent blank image)
from a webserver they have access to. This gives them definitive proof that
the message was read, and delivers to a real person, and if the url is
unique, exactly which address it was (url to email address list map and
looking at the logs). It can also give them other information (eg: what
fetched the image, which IP the fetch came from), that could be useful for
Lastly, the user might just reply with "Who are you?", giving away the whole
> >From address is RANDOMNUMBERS_gibberish at forgeddomain.com.
> Is this something I should be concerned about? Should I expect a spam
> wave soon? Just curious if anyone had any insight on this.
Checking for catch all domains may also be looking for either misconfigured
servers (relays, or bounce relays), and as a domain they can use to forge in
their own spam. What better for them to forge wacky addresses from than a
domain which accepts any email address fed at it?
Stuart Young - aka Cefiar - cef at optus.net
More information about the list