At 4:08 PM -0700 9/21/05, Warren Michelsen imposed structure on a
stream of electrons, yielding:
This does not appear to be the behavior of a legitimate MTA:
20:28:56 1 SMTP-889([24.14.235.89]) SPAM? Recipient '<[EMAIL PROTECTED]>'
rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:56 1 SMTP-890([24.14.235.89]) SPAM? Host is blacklisted per
RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:57 1 SMTP-890([24.14.235.89]) SPAM? Recipient '<[EMAIL PROTECTED]>'
rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:57 1 SMTP-891([24.14.235.89]) SPAM? Host is blacklisted per
RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:57 1 SMTP-891([24.14.235.89]) SPAM? Recipient '<[EMAIL PROTECTED]>'
rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:57 1 SMTP-892([24.14.235.89]) SPAM? Host is blacklisted per
RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:58 1 SMTP-892([24.14.235.89]) SPAM? Recipient '<[EMAIL PROTECTED]>'
rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:58 1 SMTP-893([24.14.235.89]) SPAM? Host is blacklisted per
RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:58 1 SMTP-893([24.14.235.89]) SPAM? Recipient '<[EMAIL PROTECTED]>'
rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:58 1 SMTP-894([24.14.235.89]) SPAM? Host is blacklisted per
RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:59 1 SMTP-894([24.14.235.89]) SPAM? Recipient '<[EMAIL PROTECTED]>'
rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
[EMAIL PROTECTED] replaces the actual recipient but the recipient is the
same in all instances. IOW, six simultaneous connections from the
same IP address to send to the same recipient. Looks like a spambot
to me.
Probably a good reason it's in sbl-xbl. Or could this be legit?
Some legitimate mail servers can behave that way. Notably (for
charitable definitions of 'legitimate' ) qmail has been known to.
24.14.235.89 is c-24-14-235-89.hsd1.il.comcast.net.
i.e. some residential cable modem without anyone who cares about its name.
Note that it got to the SBL-XBL by way of the XBL, which draws from
the CBL. This means that it has done things that look very much like
a compromised machine while sending mail to an address in the CBL
spamtrap, and that's an extremely reliable way to tell that a machine
is in fact compromised.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
