I've seen this a few times on my setup. The zombie is giving multiple recipients. Note the alphbetical closeness of your address and the second address.
Maybe it's a two-birds-with-one-stone scenario. Zombies send you spam and search for open relays. Maybe it's bad zombie-software design. Why send a message for multiple domains recipients to the first recipient's server? adamc -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Traylor Sent: Wednesday, June 28, 2006 14:24 To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy Subject: Re: [Assp-user] please educate me - relay attempt question Anybody have thoughts on this? Is everybody seeing this kind of activity? Thanks, Doug ----- Original Message ----- From: "Doug Traylor" <[EMAIL PROTECTED]> To: "assp user list" <[email protected]> Sent: Thursday, June 22, 2006 10:13 PM Subject: [Assp-user] please educate me > My valid address replaced with <me>@<mydomain>.com in the following log > snippet. > > Jun-22-06 21:58:03 Connected: 218.12.35.178:11120 -> 10.0.0.3 -> > 10.0.3.2:26 > Jun-22-06 21:58:04 218.12.35.178 <[EMAIL PROTECTED]> adding new > triplet: (218.12.35.0,[EMAIL PROTECTED],<me>@<mydomain>.com) > Jun-22-06 21:58:04 218.12.35.178 <[EMAIL PROTECTED]> recipient > delayed: > <me>@<mydomain>.com > Jun-22-06 21:58:04 218.12.35.178 <[EMAIL PROTECTED]> relay attempt > blocked for: [EMAIL PROTECTED] > Jun-22-06 21:58:04 PB: 218.12.35.178 score: 0+200 => 200 > reason:218.12.35.178:RelayAttempt > Jun-22-06 21:58:06 218.12.35.178 <[EMAIL PROTECTED]> is disconnected > > How is it that a single connection from an IP can result in an email to a > known user, me, on my domain and an email to an address on another domain > that is seen as a relay attempt by ASSP? I score relay attempts very high > to extreme block future connections from that IP. This is an obvious spam > mail and I was just curious how they are doing it if anybody knows. Is > this > a simple function of SMTP communications, or is ASSP doing something > flakey > here on a cc'd or bcc'd address? I can not recreate this type of block > with > testing so I assume ASSP is handling this correctly. > > Thanks, > > Doug Traylor Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
