[Full-Disclosure] Empty emails example

From: Bill Royds (full-disclosure_at_royds.net)
Date: 02/28/04

  • Next message: Bill Royds: "[Full-Disclosure] Re: Empty emails example" 
    To: <full-disclosure@lists.netsys.com>
Date: Sat, 28 Feb 2004 15:23:47 -0500

    I am still getting a lot of empty emails and noticed a peculiar similarity.
    All of them use a compromised or open relay home hispeed network connection
    to bounce the message.
    Here are the headers from one I just received ( others are similar but with
    different relay points).

    > Return-Path: <ZVIFHFGZRZI@yahoo.com>
    > Received: from h0010b59bf977.ne.client2.attbi.com ([24.147.39.6])
    > by fep02-mail.bloor.is.net.cable.rogers.com
    > (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP
    > id
    <20040228195530.WTUH244767.fep02-mail.bloor.is.net.cable.rogers.com@h0010b59
    bf977.ne.client2.attbi.com>;
    > Sat, 28 Feb 2004 14:55:30 -0500
    > Received: from 80.76.205.232 by 24.147.39.6; Sun, 29 Feb 2004 00:46:57
    +0500
    > Message-ID: <Y[20
    > Date: Sat, 28 Feb 2004 14:55:31 -0500
    >

    The return path is an obvious fake

    The immediate relay point is a cable modem customer

    The seeming original sender is a British company with domain
    tradeelectronically.com which is a hosting service.

    Are others seeing this pattern?

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Bill Royds: "[Full-Disclosure] Re: Empty emails example"