Kind of OT: Wierd emails... Virus? Probe? ???

Brian Chabot brian at datasquire.net
Thu Dec 18 11:29:17 EST 2003


bmcculley at rcn.com wrote:

> Hmm, there may be an interesting potential counterstrike here,
> what would it take to automate recognition of such trash and
> generate notifications to the ISP owning the source address?

I'm not a coder, but I know there are plenty here.

That said...

Each and every one had a forged Recieved: header that contained the 
following:

Received: from [218.147.25.242] by 2004hosting.netIP with HTTP;

The IP in there is the originating IP of the message.  It shouldn't be 
too hard to grep for "2004hosting.netIP" and then filter out the IP 
between the brackets.

Googling that string, though I find there is a mention of similar spam 
emails on news.admin.net-abuse.sightings

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=2004hosting.netIP&sa=N&tab=wg

Since 2004hosting.org (the domain mentioned in the spam emails) is a 
known spam haven it is likely they are looking for open relays.  It 
looks like this web site is hocking cable filters and that "Banned CD".

It makes me wonder if this isn't the result of a worm as you mentioned.

I'd guess this is in preparation for another spamming barrage coming soon.

Brian





More information about the gnhlug-discuss mailing list