I think you may be on to what's happening, sounds like an automated open relay probe. One of the things I heard about at a security conference a couple of years ago was automated agents, they're like a virus or worm that doesn't propagate wildly out of control but just scans and reports back to some controlling agency when it finds vulnerabilities. Think in terms of the classic SQL slammer style "bring the net down" attacks as amateurs, the pros run more stealthy info warfare schemes that coordinate vectors and results for more targeted attacks - or perhaps like this they have one vector that looks for open relays, another will exploit the ones they select for use, or maybe will load balance their toxic transmissions across the available servers - so a pro can just automate the delivery channel creation and then concentrate on the business end of things, whatever that may be. That could be anything from innocuous spam delivery to virus epidemic releases.
Hmm, there may be an interesting potential counterstrike here, what would it take to automate recognition of such trash and generate notifications to the ISP owning the source address? I'm interested in ideas and discussion on this in depth, anyone seriously interested is invited to email directly as well as or instead of posting to the entire list. THANKS! -Bruce McCulley freelance CISSP ---- Original message ---- >Date: Wed, 17 Dec 2003 11:16:07 -0500 >From: Brian Chabot <[EMAIL PROTECTED]> >Subject: Kind of OT: Wierd emails... Virus? Probe? ??? >To: Greater NH Linux User Group <[EMAIL PROTECTED]> > >Hey, all... > >I just noticed something interesting in my spam filter and was curious >if anyone here might know what it's from. > >I have several emails that seem to be missing rather important header >info... like subjects... and the *body*. > >What is the same is: > >A seemingly random common name for the username in the email address >@mydomain. > >MessageID seemingly from my domain. > >Seemingly forged Recieved header containing "from [" and IP address "] >by 2004hosting.netIP with HTTP;" > >I would normally just let the spam filter delete these but the number of >similar messages caught my eye. > >Here's the *full* email of one of them: > >================== >Return-Path: <[EMAIL PROTECTED]> >Received: from 66.92.91.82 ([218.147.25.242]) > by datasquire.net (8.11.6/8.9.3) with SMTP id hBHBIxm05390 > for <[EMAIL PROTECTED]>; Wed, 17 Dec 2003 06:19:00 -0500 >Date: Wed, 17 Dec 2003 06:19:00 -0500 >Message-Id: <[EMAIL PROTECTED]> >Received: from [218.147.25.242] by 2004hosting.netIP with HTTP; > Wed, 17 Dec 2003 16:16:57 +0500 >From: "Colin"@datasquire.net >=================== > >The return path on each one is different and the IP address they >originated from is also different... and even on different networks. > >Do any of you have any clue what might be sending these out? It kind of >sounds like a probe for an open SMTP relay, but the common forged header >mistakes and lack of content lead me to believe there is some kind of >automation here that is common to each of these machines. A trojan perhaps? > >Brian > >_______________________________________________ >gnhlug-discuss mailing list >[EMAIL PROTECTED] >http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
