|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Spam from weird IP 118.189.136.119
On Mon, 16 Jun 2003 15:47 (UT), [email protected] wrote: | I've never heard of the NNFMP protocol It's the latest spammer exploit the "Network Nonsense - Fools Most People" exploit. You've not been hit by that one yet, then? On Mon, 16 Jun 2003 17:47 (UT), Wayne Tucker <[email protected]> wrote: | I have run into a considerable number of these that include headers | suggesting that they were relayed through my server, but I have verified | my logs, and the messages never even touched any of my machines. But precisely which logs are you looking at? The SMTP logs from your mail server or the machine's IP connection log? | It seems that one of the new tricks is to throw some BS headers in there | before relaying the message, just to throw a monkey wrench in the works. That is one of the older tricks in the book. The latest revision is to throw some _matching_ headers in there so that it looks entirely genuine. If you have a trojan executable on a server as well as an "authorised" mail server then any mail sent by the trojan will NOT appear in the logs of the SMTP server, but WILL appear on the next hop as coming from your server and the only way to tell the difference is by examining the connecting port as seen coming from your server by the machine at next hop. -- Richard D G Cox
|