I wrote
I found a domain I run the mailer for, one that has never had a host
named "mail". I created a "mail" name for one of the hosts and set
up a simple log-everything SMTP daemon on it. We'll see what
happens.
Fascinating. It's already gathered eight messages. (Of course, I
don't know whether they arrived because it's named "mail" or because
the sender simply poked around looking for open SMTP ports - I think
I'll set up the same program on a third machine....)
All of them appear to be malware infection attempts; they bear
application/octet-stream portions and use MIME boundary strings of a
very stereotyped pattern:
boundary="----=_NextPart_000_0004_31ED834D.12855CEA"
boundary="----=_NextPart_000_0005_770651AE.3F9BA93E"
boundary="----=_NextPart_000_0011_7A649EC3.62B66C6C"
boundary="----=_NextPart_000_0008_08462B50.63CB8E4A"
boundary="----=_NextPart_000_0009_265953B0.C3E25E5E"
boundary="----=_NextPart_000_0007_238C62AF.E231B9BF"
boundary="----=_NextPart_000_0012_D1E7736C.AE765B18"
boundary="----=_NextPart_000_0011_4EEF7698.3C9C812C"
They also were sent to easily guessable local-parts @ the domain in
question (ray@, bob@, mary@, robert@, jane@, smith@, jim@, and david@)
and most of them were sent from admin-looking local-parts forged @ the
same domain (admin@, administrator@, register@, support@, and
webmaster@).
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
mouse(_at_)rodents(_dot_)montreal(_dot_)qc(_dot_)ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg