On Fri, Feb 10, 2017 at 11:56:02AM -0600, Andrew Latham wrote:
On a great many mailing lists, Suresh is spot on as this looks more like infected user but headers would be good.
Here are a couple recent specimens that appear to fit this pattern: -------------------------------------------------------- Received: from route-level2.fsdata.se (route-level2.fsdata.se [89.221.252.217]) by taos.firemountain.net (8.15.1/8.14.9) with ESMTPS id v190EnHs001330 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO) for <rsk@gsp.org>; Wed, 8 Feb 2017 19:15:01 -0500 (EST) From: <info@onlinemarket.se> To: Jon Lewis <jlewis@lewis.org>, jamie rishaw <j@arpa.com>, Michael Thomas <mike@mtcc.com>, Rich Kulawiec <rsk@gsp.org> Subject: =?utf-8?B?d2hhdCBhIG5pY2Ugc3VycHJpc2U=?= Date: Wed, 8 Feb 2017 19:14:20 -0500 Message-ID: <1355759249.20170209031420@onlinemarket.se> -------------------------------------------------------- -------------------------------------------------------- Received: from mcegress-14-lw-3.correio.biz (mcegress-14-lw-3.correio.biz [191.252.14.3]) by taos.firemountain.net (8.15.1/8.14.9) with ESMTP id v0B5dsb7001374 for <rsk@gsp.org>; Wed, 11 Jan 2017 00:40:06 -0500 (EST) From: "Mikael Abrahamsson" <jdenoy@jdlabs.fr> To: "John Curran" <jcurran@arin.net>, "Paul Graydon" <paul@paulgraydon.co.uk>, "Rich Kulawiec" <rsk@gsp.org>, "Seth Mattinen" <sethm@rollernet.us> Subject: =?utf-8?B?ZmFudGFzdGljIHBsYWNl?= Date: Wed, 11 Jan 2017 01:38:43 -0400 Message-ID: <1961406061.20170111083843@jdlabs.fr> -------------------------------------------------------- ---rsk