Forged From header in bounce-o-grams??!? :-(

• Previous message: Forged From header in bounce-o-grams??!? :-(
• Next message: Forged From header in bounce-o-grams??!? :-(
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

david at catwhisker.org (David Wolfskill) writes:
> From: "Bounced mail" <noreply at baylisa.org>
>
> Right.  Though in the case of mail purportedly coming from baylisa.org
> arriving at the MX for baylisa.org is ... well, adequately peculiar
> for the present distress.

I wouldn't let that unusual header-from dissuade you from targeting it
with a regexp.  eg. 

     /^From: "Bounced mail" <[^@]+ at baylisa.org>$/
             REJECT  Nobody here by the name 'bounced mail'.
                     Please fix your mailer.

> Must be a rather dull-witted machine for the novelty to have not worn
> off after the first few pokes, though I suppose a sufficiently devious
> recipient of such attention might be able to try using the behavior to
> try to gain information....  I don't think I have the necessary
> combination of time & interest just now, though.  :-}  [Then again,
> maybe a variant on what I have listening on 113/tcp might prove
> amusing....]

Back before the openbsd folks stopped including ethereal due to the
abundance of buffer-overrun bugs I used to packet-log all port 25
traffic with 'tcdump -w' and spot-check the log with ethereal to make
sure that things were working as expected.  The "follow tcp stream"
command of ethereal is a very useful feature.  One thing that became
very clear is that some malware just didn't take 5xx to mean "go
away".  Quite often it would wait a whole 10 seconds and then retry
the exact same envelope/header/body again.

-wolfgang

• Previous message: Forged From header in bounce-o-grams??!? :-(
• Next message: Forged From header in bounce-o-grams??!? :-(
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]