Greetings all, Semi-operational content... Anyone recognize the following? Variable data replaced with $varname$ for anonymity. Return-path: <$forgedaddr$> Received: from $crackedvictimfqhn$ ([$crackedvictimip$] helo=compuserve.com) by $destinationmx$ with smtp (Exim 3.03 #41) id 17DZf2-0004m5-00 for $addr; Fri, 31 May 2002 00:48:52 +0100 To: $name$ <$addr$> From: $forgedaddr$ X-Mailer: OutLook Express 3.14159 Subject: Dear mr $name$ MIME-Version: 1.0 Content-type: text/plain Content-Transfer-Encoding: 8bit Message-Id: $validmessageid$ Date: Fri, 31 May 2002 00:48:52 +0100 Hello $name$ dear friends again! Where the variables are: $crackedvictimfqhn$ : machine that sent message $crackedvictimip$ : ip of above $destinationmx$ : the mx that received the spam $forgedaddr$ : forged "mail from" $name$ : these are sent mail-merge style $validmessageid$ : receiving MX-generated msg id The interesting things are X-Mailer, Subject, and the fact that these messages originate from many different places. I've only run nmap on a couple of $crackedvictimip$... one was Windows, one was Solaris. Assuming the results were accurate, this smells like a twist on Sadmind, or perhaps exploitation of compromised machines. Anyone have any info? -- Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.