Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Spam from weird IP 118.189.136.119

  • From: Richard D G Cox
  • Date: Mon Jun 16 14:37:39 2003

On Mon, 16 Jun 2003 15:47 (UT), jlewis@lewis.org wrote:

| I've never heard of the NNFMP protocol

It's the latest spammer exploit the "Network Nonsense - Fools Most People"
exploit.  You've not been hit by that one yet, then?

On Mon, 16 Jun 2003 17:47 (UT), Wayne Tucker <wtucker@donobi.com> wrote:

| I have run into a considerable number of these that include headers
| suggesting that they were relayed through my server, but I have verified
| my logs, and the messages never even touched any of my machines.

But precisely which logs are you looking at?
The SMTP logs from your mail server or the machine's IP connection log?

| It seems that one of the new tricks is to throw some BS headers in there
| before relaying the message, just to throw a monkey wrench in the works.

That is one of the older tricks in the book.  The latest revision is to
throw some _matching_ headers in there so that it looks entirely genuine.

If you have a trojan executable on a server as well as an "authorised" mail
server then any mail sent by the trojan will NOT appear in the logs of the
SMTP server, but WILL appear on the next hop as coming from your server and
the only way to tell the difference is by examining the connecting port as
seen coming from your server by the machine at next hop.

-- 
Richard D G Cox





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.