On 11-09-06 10:15 AM, John Levine wrote:
Odd, my experience is quite different. The address typically looks
real and matches stuff in Received: lines. Perhaps I'm fooled by
unusually brilliant header forgery, but it doesn't look like it. This
stuff doesn't appear to be bots, it's sent using phished credentials.
For the systems that log the connecting IP, it's often in Nigeria or
China.
Right. Sendsafe stuff. I have 10s of thousands of them. Here's one:
Received: from 108-65-8-39.lightspeed.wlfrct.sbcglobal.net (HELO
mail.torreycrane.com) (108.65.8.39)
by moi2 (qpsmtpd/0.80) with ESMTP; Tue, 06 Sep 2011 14:24:10 +0000
Received: from User ([70.88.143.134]) by mail.torreycrane.com with
Microsoft SMTPSVC(6.0.3790.3959);
Tue, 6 Sep 2011 10:12:45 -0400
Reply-To: <mohammedjika(_at_)one(_dot_)co(_dot_)il>
From: "DR.MOHAMMED JIKA"<mohammedjika04(_at_)one(_dot_)co(_dot_)il>
Subject: PLEASE GET BACK TO ME URGENTLY
Date: Tue, 6 Sep 2011 10:12:36 -0400
The From: & Reply-To are forged, unless you think that
mail.torrycrane.com is the MTA for one.co.il.
70.88.143.134 is infected with sendsafe, Advanced Mass Sender or some
other similar package.
Effectively what happens is that the bad guys accumulate
userid/password/server tuples. Injects their infection somewhere, and
controls it remotely. The infection connects to the server, supplies
the userid/password (via AUTHSMTP or in some cases webmail), and injects
its spam with forged From:.
One very common feature of these is no To: line.
This is running about 1-2% of all spam according to one trap.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg