persistent smtp connectins

michael michael at APlatform.com
Thu Feb 4 17:30:08 UTC 1999


Before anyone flames me I asked the moderators if this would be
appropriate to post.  The answer was "Sure".

For several months we have experienced massive amounts of persistent smtp
connections from a forged from address from various dialup accounts around
the USA. With the help from one of these ISP's it was found to be a
program that preports to scan various search engines, like four11, based
upon a user supplied search criteria and generates a mail list.  When a
user would run this program is when we would see the smtp connections. Yet
the user was unaware of this. In conversation with this user they were not
aware of anything other than polling of these search engines and the
generation of a mail list. I obtained a copy of the program and looked at
the code.  It has hundreds of domain names as well as the forged from
address.  A phone call to the distributor as well as the company that
produces this program, they all say "all it does is query several search
engines like four11".  When I confronted them about the hundreds of domain
names in their code and the forged from address they claimed ignorance. In
conclusion, I have not run the program personaly and the above are my
observations from looking at the code.  For those of you who are
interested in this fee free to email me and I will supply you with the url
and program name.  A hint to see if you or your users or your systems have
been the victim of this program is a from address of savings.com in your
sendmail logs.




More information about the NANOG mailing list