[plug] Is this a spam attack?

Luke Dudney dex at wn.com.au
Tue May 13 18:06:48 WST 2003 


On 13/05/03 17:58, Bret Busby wrote:

>>It's very doubtful that the addresses are 'spoofed' in the classical 
>>sense. It's practically impossible to spoof a TCP connection to a modern 
>>Linux box as their TCP sequence numbers are near-impossible to predict. 
>>What they may have been talking about is proxy hijacking, where the 
>>connection is bounced off an unwilling 3rd-party, but it sound more like 
>>a fob-off to me.
>>
>>Cheers
>>Luke
>>
>>
>>
>>    
>>
>
>Here is an example of what appears to include a spoofed email address.
>
>..........
>On Sun, 2 Mar 2003, Mail Delivery System wrote:
>  
>
>>Date: Sun,  2 Mar 2003 08:55:29 +0800 (WST)
>>From: Mail Delivery System <MAILER-DAEMON at busby.net>
>>To: Postmaster <postmaster at busby.net>
>>Subject: Postfix SMTP server: errors from unknown[218.70.153.112]
>>
>>Transcript of session follows.
>>
>> Out: 220 ****.*** ESMTP Postfix
>> In:  HELO fdsfdsf
>> Out: 250 *****.***
>> In:  MAIL From: <ydfkcbi at msn.com>
>> Out: 250 Ok
>> In:  RCPT To:<ameill at 19.com.cn>
>> Out: 554 <ameill at 19.com.cn>: Recipient address rejected: Relay access denied
>> In:  RCPT To:<ameill at xinhuanet.com>
>> Out: 554 <ameill at xinhuanet.com>: Recipient address rejected: Relay access
>>     denied
>> In:  QUIT
>> Out: 221 Bye
>>
>>No message was collected successfully.
>>
>>    
>>
>..........
>
>Now, Luke, Are you seriously saying that someone at Microsoft is 
>attempting security breaches across the Internet, to set up unauthorised 
>relaying?
>
>Oh, and, email address spoofing is commonplace, especially with some 
>viruses; recently, a virus spoofed people's email addresses as the 
>sender of the viral messages.
>  
>

Hi Brett
When you said "addresses" I originally assumed you meant host addresses, 
as in the client _IP_ address. I did not consider that anyone would make 
a complaint to the police about an _email_ address, because as you 
rightly point out sender address spoofing is very commonplace. Reading 
your message again, the context in which you've used "addresses" is 
obviously a reference to email addresses and not IP addresses, which was 
my mistake.

Yes, spoofed sender addresses are used by most email worms these days. I 
run an email antivirus server and disabled sender address notification 
on infected email messages a long time ago. I can't remember what the 
first virus was that forged the sender address (Klez maybe?), but I can 
remember being very surprised that it had taken that long for a major 
outbreak to do so. I think it was about a year to 18 months ago.

Cheers
Luke

More information about the plug mailing list