[Dshield] E-Mail Nusiance
tonni at hetnet.nl
Wed Feb 7 00:23:33 GMT 2007
stcarey at juno.com wrote, on 06. feb 2007 21:40:
> Since we block executables this postcard.e stuff is just a nusiance, however, one of the systems we monitor shows the attempts for delivery and during a calm moment (not many of those), I started looking at the header information. What I notices is that that everyone of these E-Mails that have heit my site have the same user agent - Thunderbird 188.8.131.52 and a MIME - version of 1.0. Seeing as I am getting about 1.0000+ a day, from about as many IP addresses, puts this in a different catagory (least to my thinking). And that is a very sloppy attack against my network (sloppy in the fact that they are sending executables). Does anyone see the same user agent on the same type of E-Mails? Stan Carey
Yeah, red herring - just about all spams, virus and similar shoot have a
fictive User-Agent: value. Fictive are also many missives' initial
Received: from, To: and in our case amavisd-new added X-Envelope-From:
field values. Most similar shoot is sent using bot spammer software
anyway. You might as well pick on MS mailer software User-Agent: values
for stuff from spammers - fictive again.
More valuable is to look at the Received: from IP value that your MTA
accepted and possibly the one before that, if that seems probable and
look for patterns there, then refuse mail from those patterns' subnets.
Email: tonni at hetnet dot nl
More information about the list