zombienet spam fingerprint
E.B. Dreger
eddy+public+spam at noc.everquick.net
Sat Jun 1 17:31:35 UTC 2002
Greetings all,
Semi-operational content...
Anyone recognize the following? Variable data replaced with
$varname$ for anonymity.
Return-path: <$forgedaddr$>
Received: from $crackedvictimfqhn$ ([$crackedvictimip$] helo=compuserve.com)
by $destinationmx$ with smtp (Exim 3.03 #41)
id 17DZf2-0004m5-00
for $addr; Fri, 31 May 2002 00:48:52 +0100
To: $name$ <$addr$>
From: $forgedaddr$
X-Mailer: OutLook Express 3.14159
Subject: Dear mr $name$
MIME-Version: 1.0
Content-type: text/plain
Content-Transfer-Encoding: 8bit
Message-Id: $validmessageid$
Date: Fri, 31 May 2002 00:48:52 +0100
Hello $name$ dear friends again!
Where the variables are:
$crackedvictimfqhn$ : machine that sent message
$crackedvictimip$ : ip of above
$destinationmx$ : the mx that received the spam
$forgedaddr$ : forged "mail from"
$name$ : these are sent mail-merge style
$validmessageid$ : receiving MX-generated msg id
The interesting things are X-Mailer, Subject, and the fact that
these messages originate from many different places. I've only
run nmap on a couple of $crackedvictimip$... one was Windows, one
was Solaris. Assuming the results were accurate, this smells
like a twist on Sadmind, or perhaps exploitation of compromised
machines.
Anyone have any info?
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist at brics.com>, or you are likely to
be blocked.
More information about the NANOG
mailing list