TheScream Posted January 24, 2005 Share Posted January 24, 2005 About 10 minutes ago my mailbox was flooded with 52 emails similar to this: Return-Path: <jryimrb[at]quixnet.net> Received: from c60.cesmail.net ([216.154.195.49]) by [my mail server] with ESMTP id <41F570B2.0000049E[at][my mail server]> for <>; Mon, 24 Jan 2005 22:03:30 GMT Received: from unknown (HELO blade2.cesmail.net) (192.168.1.212) by c60.cesmail.net with SMTP; 24 Jan 2005 17:03:30 -0500 Received: (qmail 30416 invoked by uid 1010); 24 Jan 2005 22:03:30 -0000 From: spamcop-net[at]blade2.cesmail.net Cc: recipient list not shown: ; Delivered-To: spamcop-net-[my spamcop account][at]spamcop.net Received: (qmail 30382 invoked from network); 24 Jan 2005 22:03:29 -0000 Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 24 Jan 2005 22:03:29 -0000 Received: from smta11.mail.ozemail.net (203.103.165.150) by mailgate.cesmail.net with SMTP; 24 Jan 2005 22:03:28 -0000 Received: from sasimp02.mail.ozemail.net ([203.103.165.182]) by smta11.mail.ozemail.net with ESMTP id <20050124220327.QKQO21478.smta11.mail.ozemail.net[at]sasimp02.mail.ozemail.net> for <[my public email address]>; Mon, 24 Jan 2005 22:03:27 +0000 Received: from term10 ([85.96.101.206]) by sasimp02.mail.ozemail.net with oze id PA2R1R00DSyg9s01 for [my public email address]; Tue, 25 Jan 2005 09:02:28 +1100 Message-Id: <20050124220327.QKQO21478.smta11.mail.ozemail.net[at]sasimp02.mail.ozemail.net> Date: Mon, 24 Jan 2005 22:03:27 +0000 X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade2.cesmail.net X-spam-Level: * X-spam-Status: hits=1.6 tests=MISSING_SUBJECT version=3.0.0 X-SpamCop-Checked: 192.168.1.101 203.103.165.150 203.103.165.182 85.96.101.206 <br /> <b>Fatal error</b>: Call to undefined function: imagecreatefromgif() in <b>/var/www/html/spamw/img.php</b> on line <b>52</b><br /> Any ideas? Link to comment Share on other sites More sharing options...
Wazoo Posted January 24, 2005 Share Posted January 24, 2005 Nothing quick. Allegedly sourced from; inetnum: 85.96.64.0 - 85.96.127.255 netname: TurkTelekom descr: Turk Telekom ADSL-200K_2 country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA mnt-by: as9121-mnt notify: ipg[at]telekom.gov.tr changed: ipg[at]telekom.gov.tr 20041018 source: RIPE though the path including "spamw" looks a bit 'interesting' <g> Link to comment Share on other sites More sharing options...
Merlyn Posted January 24, 2005 Share Posted January 24, 2005 Was the spamvertised site the same in all of them? What was it if the answer is yes? Link to comment Share on other sites More sharing options...
TheScream Posted January 24, 2005 Author Share Posted January 24, 2005 Was the spamvertised site the same in all of them? What was it if the answer is yes? 23548[/snapback] Yes, the email was essentially the same for all 52 of them. Only difference I could see was that the return path differed each time and the originating server varied but repeated. ...perhaps a spammer has a bug in their sending system.. Link to comment Share on other sites More sharing options...
captid4 Posted January 25, 2005 Share Posted January 25, 2005 Yes, the email was essentially the same for all 52 of them. Only difference I could see was that the return path differed each time and the originating server varied but repeated. ...perhaps a spammer has a bug in their sending system.. 23552[/snapback] I just got about 20 of these, also. Could this be a new spammer tactic? Link to comment Share on other sites More sharing options...
Wazoo Posted January 25, 2005 Share Posted January 25, 2005 At this point, not appearing to be much of a "tactic" ... Only one sample provided between two users saying they received "the same" ... but that clouded a bit by "originating server changing" ... second user not comparing to the first user's sample, pointing out what was the same, or if anything was different ... At this point, easier to suggest some idiot with a new spamming device , but .. perhaps with more time, more details ...???? Link to comment Share on other sites More sharing options...
Wazoo Posted January 27, 2005 Share Posted January 27, 2005 Scanning on a totally unrelated quest, I came across this interesting tidbit; http://isc.sans.org/diary.php?date=2005-01...500435979230845 Broken spam Message A handful of users have reported getting spam messages that contain: "<br /> Fatal error/: Call to undefined function: imagecreatefromgif() in /var/www/html/spamw/img.php/ on line4<br />" This is probably due to a broken PHP spam engine that is sending email via multiple SMTP servers/open-relays throughout the Internet. If there is any hosting company that has a username on their machine with "spamw", kindly delete the account. Enabling spammers is bad. Link to comment Share on other sites More sharing options...
jefft Posted January 30, 2005 Share Posted January 30, 2005 The qmail author would call this a feature Basically, if certain headers are entirely missing, the server inserts a default in some situations. This looks like totally broken spam to me. As you saw, it didn't really come from us, but since it was forwarded with no From: address, the server stuck one on. JT Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.