[Dshield] Fanmail from a flounder

Sue Young sforslev at gmail.com
Fri Apr 27 16:57:01 GMT 2007


I blocked helo=hacker1 and haven't seen anything else.  It should cover a
lot of these since the ones that came through all were from different ip's.
It's nice when they bother to say "helo, I'm a hacker.

Sue Young, CISSP

On 4/26/07, stu <stu at evans4.co.uk> wrote:
>
> I don't know if anyone else has tried or looked at this yet but I've
> been blocking spam based on the Message-ID.
>
> I found that a number or spam messages would have common parts of the
> message ID so I placed these into a filter and had the emails forwarded
> to another account purely for spam. So far no legitimate email has been
> sent there and it's trapped quite a few spam messages :D
>
> Stu
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Sue Young
> Sent: 26 April 2007 18:24
> To: General DShield Discussion List
> Subject: [Dshield] Fanmail from a flounder
>
> The guy sitting next to me just got several one word spams and asked me
> to
> block them.  Take a look at the header.
>
> I don't think I'd ever mistake this for legitimate mail.  hacker1 huh?
> Real
> 1337.  I just wanted to share the stupidest thing I've seen all day (so
> far).
>
> Sue Young, CISSP
>
> Microsoft Mail Internet Headers Version 2.0
>
> <info snipped>
>
> X-BigFish: vps12(z33fbkzzz109clzzz2dh38m)
> X-EF: str=0001.0A090207.4630C8A4.000D,ss=3,fgs=4
> X-Spam-TCS-SCL: 6:0
> Received: by mail33-fra (MessageSwitch) id 1177602211879526_541; Thu, 26
> Apr
> 2007 15:43:31 +0000 (UCT)
> Received: from dsl-189-132-92-111.prod-infinitum.com.mx (unknown [
> 189.132.92.111])
>     by mail33-fra.bigfish.com (Postfix) with ESMTP id 1806B970077
>     for <kanwar at gcmlp.com>; Thu, 26 Apr 2007 15:43:30 +0000 (UTC)
> Received: from hacker1 ([132.131.35.163] helo=hacker1)
>     by dsl-189-132-92-111.prod-infinitum.com.mx ( sendmail
> 8.13.3/8.13.1)
> with esmtpa id 1vxapu-000AUN-vw
>     for kanwar at gcmlp.com; Thu, 26 Apr 2007 10:43:49 -0500
> Message-ID: <000b01c78819$a2d50d60$6f5c84bd at hacker1>
> From:    "Jakob Sutton" <Suttondflm at FORENSICPANEL.COM>
> To: xxxx at xxxx.com
> Subject: advent
> Date:    Thu, 26 Apr 2007 10:43:29 -0500
> Message-ID: <000b01c78819$a2d50d60$6f5c84bd at hacker1>
> MIME-Version: 1.0
> Content-Type: text/plain;
>     charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.6626
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> Return-Path: Suttondflm at FORENSICPANEL.COM
> X-OriginalArrivalTime: 26 Apr 2007 15:43:33.0133 (UTC)
> FILETIME=[A53FCBD0:01C78819]
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>


More information about the list mailing list