Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: what is this?

From: "Matthew S. Hallacy" <mhallacy () MERCURY XTRATYME COM>
Date: Fri, 18 Aug 2000 16:12:37 -0500
This is odd, we had a customer who also uses aol forward us some spam that
was send to a lot of email addresses beginning with 'z', (his began with a
z also) it appears that spammers are picking random addresses that start
with a letter of the alphabet and spamming commonly picked addresses.

Perhaps they were trying to relay through your system, or the spammer is
on your system =)

On Fri, 11 Aug 2000, Sami Haahtinen wrote:


Check your system, can anyone relay trough it. also check your
mail-queue, it usually is a positive sign of an known open relay if it's
full of mail not sent by your system or authorized systems.

also check if you are listed at orbs or other systems like that.

i would suspect an open relay from these messages... (well not if you
have sent those mails to all of those aol.com addresses.)

Regards, Sami Haahtinen

C wrote:


Hi,
Last night my logcheckd come up with the following:

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug  9 18:27:07 main sendmail[20202]:SAA20194:
to=<ztattack11 () aol com>,<zpb316 () aol com>,<zotzum () aol com>,<zosom0 () aol com>,<zipper032563 () aol 
com>,<zion808 () aol com>,<zigmo123 () aol com>,<ziggy3131 () aol com>,<zi69 () aol com>,<zerogoals () aol com>,
delay=00:00:06, xdelay=00:00:00, mailer=relay, relay=my.isp.ro.
[xxx.xxx.xxx.xxx], stat=Sent (ok
965834789 qp 24507 accepted for delivery to /dev/null. Thank you.)
Aug  9 18:27:07 main sendmail[20202]: SAA20194:
to=<ztattack11 () aol com>,<zpb316 () aol com>,<zotzum () aol com>,<zosom0 () aol com>,<zipper032563 () aol 
com>,<zion808 () aol com>,<zigmo123 () aol com>,<ziggy3131 () aol com>,<zi69 () aol com>,<zerogoals () aol com>,
delay=00:00:06, xdelay=00:00:00, mailer=relay, relay=my.isp.ro.
[xxx.xxx.xxx.xxx], stat=Sent (ok
965834789 qp 24507 accepted for delivery to /dev/null. Thank you.)

Please, I want your comments. Thank you!


--
If all else Fails, Read the manual...
  || Sami Haahtinen || ATK-Antti Oy || Sami.Haahtinen () atk-antti com ||
Previous By Date Next
Previous By Thread Next

Current thread: