Kind of OT: Wierd emails... Virus? Probe? ???
Brian Chabot
brian at datasquire.net
Wed Dec 17 11:16:07 EST 2003
Hey, all...
I just noticed something interesting in my spam filter and was curious
if anyone here might know what it's from.
I have several emails that seem to be missing rather important header
info... like subjects... and the *body*.
What is the same is:
A seemingly random common name for the username in the email address
@mydomain.
MessageID seemingly from my domain.
Seemingly forged Recieved header containing "from [" and IP address "]
by 2004hosting.netIP with HTTP;"
I would normally just let the spam filter delete these but the number of
similar messages caught my eye.
Here's the *full* email of one of them:
==================
Return-Path: <zyiosonscci at yahoo.com.hk>
Received: from 66.92.91.82 ([218.147.25.242])
by datasquire.net (8.11.6/8.9.3) with SMTP id hBHBIxm05390
for <brian at datasquire.net>; Wed, 17 Dec 2003 06:19:00 -0500
Date: Wed, 17 Dec 2003 06:19:00 -0500
Message-Id: <200312171119.hBHBIxm05390 at datasquire.net>
Received: from [218.147.25.242] by 2004hosting.netIP with HTTP;
Wed, 17 Dec 2003 16:16:57 +0500
From: "Colin"@datasquire.net
===================
The return path on each one is different and the IP address they
originated from is also different... and even on different networks.
Do any of you have any clue what might be sending these out? It kind of
sounds like a probe for an open SMTP relay, but the common forged header
mistakes and lack of content lead me to believe there is some kind of
automation here that is common to each of these machines. A trojan perhaps?
Brian
More information about the gnhlug-discuss
mailing list