[Dshield] E-Mail Nusiance

Tony Earnshaw tonni at hetnet.nl
Wed Feb 7 07:12:38 GMT 2007

Jonathan C. Webster wrote, on 07. feb 2007 06:05:

>> Since we block executables this postcard.e stuff is just a nusiance, however, one of the systems 
>> we monitor shows the attempts for delivery and during a calm moment (not many of those), 
>> I started looking at the header information.  What I notices is that that everyone of these 
>> E-Mails that have heit my site have the same user agent - Thunderbird and a 
>> MIME - version of 1.0.  Seeing as I am getting about 1.0000+ a day, from about as many IP
>> addresses, puts this in a different catagory (least to my thinking).  And that is a very sloppy 
>> attack against my network (sloppy in the fact that they are sending executables). Does anyone see the
>> same user agent on the same type of E-Mails? Stan Carey
> Yes, I see that too. I made a little collection of them.  The executables have several different MD5sums,
> But they all show
> $ grep User-Agent __card
> User-Agent: Thunderbird (Windows/20061207)
> User-Agent: Thunderbird (Windows/20061207)

Taking any notice of "User-Agent: Thunderbird etc" will sort out 
thousands of genuine (up to date) Thunderbird users who have nothing to 
do with spreading spam or virus - useless.


Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list