New SPAM DOS
owen at delong.com
Fri Jan 8 20:52:17 UTC 2010
Unfortunately, I only have the spamcop report sent to me, I don't have the original message.
What spamcop sends does not include Content-Type headers or the additional parts of
the message, only the plain text portion.
Unfortunately, it's turnning things like SPAMCOP into a DOS attack against the sites
they are hoping to protect when they start treating the initial "advertised" URL as
being the "spam advertised site".
On Jan 8, 2010, at 11:39 AM, sthaug at nethelp.no wrote:
>> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
>> services. For some reason, someone decided to try and send this message
>> out to various internet recipients:
>> Anyone seen this before? Any good techniques for combatting it?
> If you look more closely at the messages I believe you'll find that
> they are multipart/alternative, and that the second part gives a
> slightly modified version of the owa URL. For instance, for my own
> nethelp.no domain the first part of message says
> but the second part specifies URLs like
> This is a very old trick, seen lots of times in connection with
> phishing sites, for instance.
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the NANOG