[Dshield] E-Mail Nusiance

Tony Earnshaw tonni at hetnet.nl
Wed Feb 7 00:23:33 GMT 2007

stcarey at juno.com wrote, on 06. feb 2007 21:40:

> Since we block executables this postcard.e stuff is just a nusiance, however, one of the systems we monitor shows the attempts for delivery and during a calm moment (not many of those), I started looking at the header information.  What I notices is that that everyone of these E-Mails that have heit my site have the same user agent - Thunderbird and a MIME - version of 1.0.  Seeing as I am getting about 1.0000+ a day, from about as many IP addresses, puts this in a different catagory (least to my thinking).  And that is a very sloppy attack against my network (sloppy in the fact that they are sending executables). Does anyone see the same user agent on the same type of E-Mails? Stan Carey

Yeah, red herring - just about all spams, virus and similar shoot have a 
fictive User-Agent: value. Fictive are also many missives' initial 
Received: from, To: and in our case amavisd-new added X-Envelope-From: 
field values. Most similar shoot is sent using bot spammer software 
anyway. You might as well pick on MS mailer software User-Agent: values 
for stuff from spammers - fictive again.

More valuable is to look at the Received: from IP value that your MTA 
accepted and possibly the one before that, if that seems probable and 
look for patterns there, then refuse mail from those patterns' subnets.



Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list