[plug] Is this a spam attack?
Luke Dudney
dex at wn.com.au
Tue May 13 18:06:48 WST 2003
On 13/05/03 17:58, Bret Busby wrote:
>>It's very doubtful that the addresses are 'spoofed' in the classical
>>sense. It's practically impossible to spoof a TCP connection to a modern
>>Linux box as their TCP sequence numbers are near-impossible to predict.
>>What they may have been talking about is proxy hijacking, where the
>>connection is bounced off an unwilling 3rd-party, but it sound more like
>>a fob-off to me.
>>
>>Cheers
>>Luke
>>
>>
>>
>>
>>
>
>Here is an example of what appears to include a spoofed email address.
>
>..........
>On Sun, 2 Mar 2003, Mail Delivery System wrote:
>
>
>>Date: Sun, 2 Mar 2003 08:55:29 +0800 (WST)
>>From: Mail Delivery System <MAILER-DAEMON at busby.net>
>>To: Postmaster <postmaster at busby.net>
>>Subject: Postfix SMTP server: errors from unknown[218.70.153.112]
>>
>>Transcript of session follows.
>>
>> Out: 220 ****.*** ESMTP Postfix
>> In: HELO fdsfdsf
>> Out: 250 *****.***
>> In: MAIL From: <ydfkcbi at msn.com>
>> Out: 250 Ok
>> In: RCPT To:<ameill at 19.com.cn>
>> Out: 554 <ameill at 19.com.cn>: Recipient address rejected: Relay access denied
>> In: RCPT To:<ameill at xinhuanet.com>
>> Out: 554 <ameill at xinhuanet.com>: Recipient address rejected: Relay access
>> denied
>> In: QUIT
>> Out: 221 Bye
>>
>>No message was collected successfully.
>>
>>
>>
>..........
>
>Now, Luke, Are you seriously saying that someone at Microsoft is
>attempting security breaches across the Internet, to set up unauthorised
>relaying?
>
>Oh, and, email address spoofing is commonplace, especially with some
>viruses; recently, a virus spoofed people's email addresses as the
>sender of the viral messages.
>
>
Hi Brett
When you said "addresses" I originally assumed you meant host addresses,
as in the client _IP_ address. I did not consider that anyone would make
a complaint to the police about an _email_ address, because as you
rightly point out sender address spoofing is very commonplace. Reading
your message again, the context in which you've used "addresses" is
obviously a reference to email addresses and not IP addresses, which was
my mistake.
Yes, spoofed sender addresses are used by most email worms these days. I
run an email antivirus server and disabled sender address notification
on infected email messages a long time ago. I can't remember what the
first virus was that forged the sender address (Klez maybe?), but I can
remember being very surprised that it had taken that long for a major
outbreak to do so. I think it was about a year to 18 months ago.
Cheers
Luke
More information about the plug
mailing list