Forged From header in bounce-o-grams??!? :-(
"Wolfgang S. Rupprecht" at wsrcc.com
"Wolfgang S. Rupprecht" at wsrcc.com
Sun Sep 18 11:22:30 PDT 2005
david at catwhisker.org (David Wolfskill) writes:
> From: "Bounced mail" <noreply at baylisa.org>
>
> Right. Though in the case of mail purportedly coming from baylisa.org
> arriving at the MX for baylisa.org is ... well, adequately peculiar
> for the present distress.
I wouldn't let that unusual header-from dissuade you from targeting it
with a regexp. eg.
/^From: "Bounced mail" <[^@]+ at baylisa.org>$/
REJECT Nobody here by the name 'bounced mail'.
Please fix your mailer.
> Must be a rather dull-witted machine for the novelty to have not worn
> off after the first few pokes, though I suppose a sufficiently devious
> recipient of such attention might be able to try using the behavior to
> try to gain information.... I don't think I have the necessary
> combination of time & interest just now, though. :-} [Then again,
> maybe a variant on what I have listening on 113/tcp might prove
> amusing....]
Back before the openbsd folks stopped including ethereal due to the
abundance of buffer-overrun bugs I used to packet-log all port 25
traffic with 'tcdump -w' and spot-check the log with ethereal to make
sure that things were working as expected. The "follow tcp stream"
command of ethereal is a very useful feature. One thing that became
very clear is that some malware just didn't take 5xx to mean "go
away". Quite often it would wait a whole 10 seconds and then retry
the exact same envelope/header/body again.
-wolfgang
More information about the Baylisa
mailing list