[Dshield] Fanmail from a flounder

Tomas L. Byrnes tomb at byrneit.net
Fri Apr 27 18:09:32 GMT 2007


Along the lines of such TGIF stuff, maybe we can get people to abide by
RFC3514

http://www.faqs.org/rfcs/rfc3514.html

:-)
 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Sue Young
> Sent: Friday, April 27, 2007 9:57 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Fanmail from a flounder
> 
> I blocked helo=hacker1 and haven't seen anything else.  It 
> should cover a lot of these since the ones that came through 
> all were from different ip's.
> It's nice when they bother to say "helo, I'm a hacker.
> 
> Sue Young, CISSP
> 
> On 4/26/07, stu <stu at evans4.co.uk> wrote:
> >
> > I don't know if anyone else has tried or looked at this yet 
> but I've 
> > been blocking spam based on the Message-ID.
> >
> > I found that a number or spam messages would have common 
> parts of the 
> > message ID so I placed these into a filter and had the emails 
> > forwarded to another account purely for spam. So far no legitimate 
> > email has been sent there and it's trapped quite a few spam 
> messages 
> > :D
> >
> > Stu
> >
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org] On Behalf Of Sue Young
> > Sent: 26 April 2007 18:24
> > To: General DShield Discussion List
> > Subject: [Dshield] Fanmail from a flounder
> >
> > The guy sitting next to me just got several one word spams 
> and asked 
> > me to block them.  Take a look at the header.
> >
> > I don't think I'd ever mistake this for legitimate mail.  
> hacker1 huh?
> > Real
> > 1337.  I just wanted to share the stupidest thing I've seen all day 
> > (so far).
> >
> > Sue Young, CISSP
> >
> > Microsoft Mail Internet Headers Version 2.0
> >
> > <info snipped>
> >
> > X-BigFish: vps12(z33fbkzzz109clzzz2dh38m)
> > X-EF: str=0001.0A090207.4630C8A4.000D,ss=3,fgs=4
> > X-Spam-TCS-SCL: 6:0
> > Received: by mail33-fra (MessageSwitch) id 
> 1177602211879526_541; Thu, 
> > 26 Apr
> > 2007 15:43:31 +0000 (UCT)
> > Received: from dsl-189-132-92-111.prod-infinitum.com.mx (unknown [
> > 189.132.92.111])
> >     by mail33-fra.bigfish.com (Postfix) with ESMTP id 1806B970077
> >     for <kanwar at gcmlp.com>; Thu, 26 Apr 2007 15:43:30 +0000 (UTC)
> > Received: from hacker1 ([132.131.35.163] helo=hacker1)
> >     by dsl-189-132-92-111.prod-infinitum.com.mx ( sendmail
> > 8.13.3/8.13.1)
> > with esmtpa id 1vxapu-000AUN-vw
> >     for kanwar at gcmlp.com; Thu, 26 Apr 2007 10:43:49 -0500
> > Message-ID: <000b01c78819$a2d50d60$6f5c84bd at hacker1>
> > From:    "Jakob Sutton" <Suttondflm at FORENSICPANEL.COM>
> > To: xxxx at xxxx.com
> > Subject: advent
> > Date:    Thu, 26 Apr 2007 10:43:29 -0500
> > Message-ID: <000b01c78819$a2d50d60$6f5c84bd at hacker1>
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> >     charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> > X-Priority: 3 (Normal)
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook, Build 10.0.6626
> > Importance: Normal
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> > Return-Path: Suttondflm at FORENSICPANEL.COM
> > X-OriginalArrivalTime: 26 Apr 2007 15:43:33.0133 (UTC) 
> > FILETIME=[A53FCBD0:01C78819] 
> _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught 
> > by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught 
> > by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught by our top rated instructors plus a huge 
> vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 



More information about the list mailing list