[Dshield] Fanmail from a flounder

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Apr 27 17:57:12 GMT 2007

On Fri, 27 Apr 2007 10:04:56 EDT, Tom said:
> Received: from hacker1 ([] helo=hacker1)
>      by dsl-189-132-92-111.prod-infinitum.com.mx ( sendmail 8.13.3/8.13.1)
> with esmtpa id 1vxapu-000AUN-vw
>      for kanwar at gcmlp.com; Thu, 26 Apr 2007 10:43:49 -0500
> is bogus. port 25 is not active and I doubt that a provisioning dsl 
> line in mexico is a relay.

You apparently checked the *current* (as of 3 hours ago or so) owner of
dsl-189-132-92-111.  The question is who was sitting on that IP address 24
hours before you checked.

A bigger hint:  a *real* Sendmail 8.13.1 would have said:
     by my.hostname.here (8.13.1/8.13.1) with esmtp...

You have to do some pretty serious .cf hacking to get it to actually include
the text string 'sendmail' there (down in m4/cfhead.m4, around line 273:

define(`_REC_BY_', `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}')

Blech. (The sad part is I actually know off the top of my head where $v gets
set. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070427/7ce1b84a/attachment.bin 

More information about the list mailing list