[Esa-l] Weird E-Mail

Brett Glass brett at lariat.org
Tue May 1 09:42:52 PDT 2001


At 03:43 AM 5/1/2001, Jason Jordan wrote:
  
>I've received two very weird e-mails in the last two days.
>
>Both were addressed to a user at my domain that does not exist... I
>won't include the full text but the content looks like a brute force
>username test against HotMail... *weird*.

This is typical behavior for some spamming software. Note that
the Received: header says that the message was received "for"
a legitimate address (cokoso62 at pcguru.com.au), which must
have appeared in an SMTP "RCPT TO:" command. But the addresses
in the RFC822 "To:" header are different... and bogus.

It's rather weird to make the "To:" address bogus and the
address to which the mail is effectively BCC'ed legitimate.
I can see no advantage in this, but it's what many spammers'
software does. It might be possible to fight such spam by
making a filter that notes bogus local addresses in the 
"To:" header and bounces the whole message if there are
too many.

--Brett



More information about the esd-l mailing list