Massively broken ratware, safely rejectable with a MTA header rule detecting /^Message-ID: \<\d\[\d/
On 08.05.2015 17:46, Dianne Skoll wrote:
Hi, We are seeing a trickle of weird empty messages. Here's a sample Sendmail log: May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100: from=<ragland_rosell...@cttstone.com>, size=18, class=0, nrcpts=1, msgid=<8[10, proto=SMTP, daemon=MTA, relay=50-242-22-73-static.hfc.comcastbusiness.net [50.242.22.73] (may be forged) Note the size of 18 bytes. The entire message content consists of the single header: Message-ID: <8[10 and that's it! So, buggy ratware? Someone trying to exploit a vulnerable SMTP server? Bizarre... On one of our scanners: $ fgrep -c 'size=18,' /var/log/mail-daily/current.log 1993 (out of 459997 messages, so 0.4%) and: fgrep 'size=18,' /var/log/mail-daily/current.log | sed -e 's/.*msgid=//' -e 's/, .*//' | sort | uniq -c 199 <0[10 202 <1[10 182 <2[10 209 <3[10 188 <4[10 196 <5[10 212 <6[10 226 <7[10 193 <8[10 191 <9[10 Regards, Dianne.