[Dshield] E-Mail Nusiance

Tony Earnshaw tonni at hetnet.nl
Wed Feb 7 00:23:33 GMT 2007


stcarey at juno.com wrote, on 06. feb 2007 21:40:

> Since we block executables this postcard.e stuff is just a nusiance, however, one of the systems we monitor shows the attempts for delivery and during a calm moment (not many of those), I started looking at the header information.  What I notices is that that everyone of these E-Mails that have heit my site have the same user agent - Thunderbird 1.5.0.9 and a MIME - version of 1.0.  Seeing as I am getting about 1.0000+ a day, from about as many IP addresses, puts this in a different catagory (least to my thinking).  And that is a very sloppy attack against my network (sloppy in the fact that they are sending executables). Does anyone see the same user agent on the same type of E-Mails? Stan Carey

Yeah, red herring - just about all spams, virus and similar shoot have a 
fictive User-Agent: value. Fictive are also many missives' initial 
Received: from, To: and in our case amavisd-new added X-Envelope-From: 
field values. Most similar shoot is sent using bot spammer software 
anyway. You might as well pick on MS mailer software User-Agent: values 
for stuff from spammers - fictive again.

More valuable is to look at the Received: from IP value that your MTA 
accepted and possibly the one before that, if that seems probable and 
look for patterns there, then refuse mail from those patterns' subnets.

Best,

--Tonni

-- 
Tony Earnshaw
Email: tonni at hetnet dot nl


More information about the list mailing list