On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote:
Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband.
There are two ways to go here -
* Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com
This may apply w/r/t something I've been seeing for the last couple of days. I've been seeing e-mails into our server with the following characteristics: 1). Sent to invalid user on our domain 2). Sent from varying origins; usually, groups of three arriving ~ every half hour 3). Origin IP on mostly home broadband networks in US 4). Frequently, purported sender's e-mail address non-US domain although originating from US domain, with the language of the e-mail text matching the purported sender's domain (lots of German spam...guess that's the current flavor). 5). Invalid user send-to addresses arriving in groups in alphabetical order (nice list processing) It looks like person(s) responsible is using distributed network of trojaned pcs, varying send-to mail servers every 3 messages or so. This way, spam arrives at purported sender's address as undelivered mail bounce with our address in the SMTP envelope, in low enough volume (they hope) not to trigger filtering based on source IP. I wonder about how long until legitimate mail servers start getting blackholed because of bounce messages? David Keith