[Dshield] Probing for catch alls.

Cefiar cef at optus.net
Sat Jun 25 02:36:57 GMT 2005

On Saturday 25 June 2005 04:22, Joshua wrote:
> I've been getting what appears to be probes for catch alls to both
> personal and business domains.  I'm sure it's just some jerk spammer, but
> was wondering why they'd want to know.

Trimming the fat from their lists perhaps?

Firstly, they will know from the SMTP level if the address has bounced.

Secondly, they may have embedded something in the message that will activate 
on view (eg: html img tags - many email clients still load external images), 
that pull down a unique image URL (may even be a 1x1 transparent blank image) 
from a webserver they have access to. This gives them definitive proof that 
the message was read, and delivers to a real person, and if the url is 
unique, exactly which address it was (url to email address list map and 
looking at the logs). It can also give them other information (eg: what 
fetched the image, which IP the fetch came from), that could be useful for 
other purposes.

Lastly, the user might just reply with "Who are you?", giving away the whole 

> >From address is RANDOMNUMBERS_gibberish at forgeddomain.com.
> Is this something I should be concerned about?  Should I expect a spam
> wave soon?  Just curious if anyone had any insight on this.

Checking for catch all domains may also be looking for either misconfigured 
servers (relays, or bounce relays), and as a domain they can use to forge in 
their own spam. What better for them to forge wacky addresses from than a 
domain which accepts any email address fed at it?

 Stuart Young - aka Cefiar - cef at optus.net

More information about the list mailing list