Forged From header in bounce-o-grams??!? :-(
David Wolfskill
david at catwhisker.org
Sun Sep 18 06:36:16 PDT 2005
On Sat, Sep 17, 2005 at 01:44:04PM -0700, "Wolfgang S. Rupprecht"@wsrcc.com wrote:
> ...
> I see I'm not the only person annoyed by these losers.
"Misery loves company" would seem to be an apropos expression. :-}
> What I do here is to check the body of any bounce message and I reject
> any bounce that doesn't have both an email-address and fullname in
> the header-from. That has cut down on the blow-back bounce-spam quite
> a bit. Luckily spammers haven't started forging the fullnames into
> the messages yet.
Well, the log extract I cited earlier was from sendmail, so it didn't
show the From header value (just the envelope-sender). Here's a message
logged to messages from milter-regex; it shows the From header &
Subject; as you can see, the situation I'm dealing with doesn't quite
match the above criteria:
Sep 18 04:22:17 www milter-regex[2696]: [ID 702911 daemon.notice] 134.241.224.145: REJECT: Liar, From: "Bounced mail" <noreply at baylisa.org>, To: , Subject:
> In my case I use postfix and I add this to body_checks. ...
> I'm sure milters can do something similar.
Right. Though in the case of mail purportedly coming from baylisa.org
arriving at the MX for baylisa.org is ... well, adequately peculiar
for the present distress.
And on a vaguely-related note, since Sep 14 13:39:25, the Ironport box
at 63.251.108.100 has been poking at my home MX/firewall's 2525/tcp.
There were 289 such "pokes" from that time until Sep 15 04:20:31; I
haven't bothered counting since (though I see them in the logs.
I sent a note to admin at ironport.com; I suppose if I don't get a response
from someone by sometime on Tuesday or so, I'll need to escalate a bit &
see if some of my former colleagues who work there can shed any light.
Must be a rather dull-witted machine for the novelty to have not worn
off after the first few pokes, though I suppose a sufficiently devious
recipient of such attention might be able to try using the behavior to
try to gain information.... I don't think I have the necessary
combination of time & interest just now, though. :-} [Then again,
maybe a variant on what I have listening on 113/tcp might prove
amusing....]
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Prediction is difficult, especially if it involves the future. -- Niels Bohr
See http://www.catwhisker.org/~david/publickey.gpg for public key.
More information about the Baylisa
mailing list