On the same topic we've been getting this flood of 1-byte long mail
msgs from apparently hijacked PC's which doesn't seem to have much any
purpose. It's possible it's just a malfunctioning spambot zombie. It
looks like the attached example.
To save the obvious discussion:
1. It seems to be a dictionary attack, none of those addresses
actually exist.
2. The subject varies but generally has that same pattern of
some barely meaningful phrase, some spaces, and a seemingly
random string. This is common among spam and has been for years.
3. It comes from presumably infected broadband hosts.
4. So what distinguishes it mostly is the one-byte (empty)
message.
5. It's possible it's just probing for legit addresses but
the return address doesn't seem like it'll go anywhere so
who'll hear the bounce?
-b
Queue entry:
RAA29529 1 Thu Jul 10 17:13 <davison_jr(_at_)intel(_dot_)com>
<jsingh4(_at_)world(_dot_)std(_dot_)com>
<jsingh5(_at_)world(_dot_)std(_dot_)com>
<jsingh6(_at_)world(_dot_)std(_dot_)com>
<jsingh7(_at_)world(_dot_)std(_dot_)com>
<jsingh8(_at_)world(_dot_)std(_dot_)com>
<jsingh9(_at_)world(_dot_)std(_dot_)com>
<jsingh(_at_)world(_dot_)std(_dot_)com>
<jsiegel9(_at_)world(_dot_)std(_dot_)com>
<jsiegel(_at_)world(_dot_)std(_dot_)com>
<jsilva7(_at_)world(_dot_)std(_dot_)com>
(data file just is a newline)
queue file:
V2
T1057871635
K1057871748
N1
P644
I128/1063/176
MUser unknown
Fb
$rSMTP
$snytimes.com
$_bzq-218-16-158.cablep.bezeqint.net [81.218.16.158]
S<davison_jr(_at_)intel(_dot_)com>
C:<jsingh4(_at_)world(_dot_)std(_dot_)com>
RPFD:<jsingh4(_at_)world(_dot_)std(_dot_)com>
C:<jsingh5(_at_)world(_dot_)std(_dot_)com>
RPFD:<jsingh5(_at_)world(_dot_)std(_dot_)com>
C:<jsingh6(_at_)world(_dot_)std(_dot_)com>
RPFD:<jsingh6(_at_)world(_dot_)std(_dot_)com>
C:<jsingh7(_at_)world(_dot_)std(_dot_)com>
RPFD:<jsingh7(_at_)world(_dot_)std(_dot_)com>
C:<jsingh8(_at_)world(_dot_)std(_dot_)com>
RPFD:<jsingh8(_at_)world(_dot_)std(_dot_)com>
C:<jsingh9(_at_)world(_dot_)std(_dot_)com>
RPFD:<jsingh9(_at_)world(_dot_)std(_dot_)com>
H?P?Return-Path: <davison_jr(_at_)intel(_dot_)com>
HReceived: from nytimes.com (bzq-218-16-158.cablep.bezeqint.net [81.218.16.158])
by world.std.com (8.9.3/8.9.3) with SMTP id RAA29529;
Thu, 10 Jul 2003 17:13:55 -0400 (EDT)
HMessage-ID: <bd7a01c346de$c079263f$8244fc93(_at_)12b8bp3>
HFrom: "Jack Davison" <davison_jr(_at_)intel(_dot_)com>
HTo: jsingh4(_at_)world(_dot_)std(_dot_)com,
jsingh5(_at_)world(_dot_)std(_dot_)com, jsingh6(_at_)world(_dot_)std(_dot_)com,
jsingh7(_at_)world(_dot_)std(_dot_)com,
jsingh8(_at_)world(_dot_)std(_dot_)com, jsingh9(_at_)world(_dot_)std(_dot_)com,
jsingh(_at_)world(_dot_)std(_dot_)com,
jsiegel9(_at_)world(_dot_)std(_dot_)com, jsiegel(_at_)world(_dot_)std(_dot_)com,
jsilva7(_at_)world(_dot_)std(_dot_)com
HSubject: legal action will be taken n7kmj32oyzc8
HDate: Thu, 10 Jul 2003 12:27:05 +0000
HMIME-Version: 1.0
HX-Priority: 3
HX-MSMail-Priority: Normal
HX-Mailer: Microsoft Outlook Express 6.00.2800.1106
HX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
HContent-Type: text/html
HContent-Transfer-Encoding: 8bit
.
--
-Barry Shein
Software Tool & Die | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg