[Dshield] PDF Spam Wave

Abuse abuse at what4now.com
Fri Aug 3 23:40:38 GMT 2007


** Reply to message from jayjwa <jayjwa at atr2.ath.cx> on Fri, 3 Aug 2007
18:20:22 -0400

I have been lucky and have not had any forge my domain in spam yet.


> On Aug. 1st about midnight, a massive influx of mail started such that I never 
> saw. Mailservers from all over, places I never heard of, started trying to 
> deliver...something. These connections were about 2-3 per second, then after 
> about 6-7 hours slowed to 2-3 per minute. They all had "bounces" for a host on 
> the intranet. Only thing was, no one there ever sent any mail!

>From what I have seen it is standard procedure for spammers to forge the
"From:".  Some use one "From:" for their entire spam run others use a different
"From:" for each spam sent.

Too many mail admins think it is OK to receive an email and later bounce it but
this demonstrates very clearly why it is bad to accept and email and later try
to send a bounce message.  The spam should be rejected during the SMTP
transaction with a 5xx code, that way innocent bystanders will not received any
of the bounce messages.


> Right off there are several things wrong here. There's no "guida" user, and 
> the Sendmail version is totally wrong, the real one is 8.14.1. It's a fake, 
> and a bad one at that. The server trying to kick this "back" to me tells more, 
> supposedly 122.5.66.168, I'd imagine 
> 168.66.5.122.broad.zb.sd.dynamic.163data.com.cn submitted this to them.

Probably a compromised computer.


> So, we 
> have a spammer, spoofing as my host, and sending to an account that doesn't 
> exit, which makes it rebound back and again hit me, because I was the supposed 
> "send" (only I obviously never sent it):

Normal spammer procedures.  If the original destination bounces it have it sent
to someone else hopping the spam will get delivered to anyone's inbox.


More information about the list mailing list