You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dianne Skoll <df...@roaringpenguin.com> on 2015/05/08 17:46:47 UTC
Weird empty messages
Hi,
We are seeing a trickle of weird empty messages. Here's a sample
Sendmail log:
May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100:
from=<Ra...@cttstone.com>, size=18, class=0, nrcpts=1,
msgid=<8[10, proto=SMTP, daemon=MTA,
relay=50-242-22-73-static.hfc.comcastbusiness.net [50.242.22.73] (may
be forged)
Note the size of 18 bytes. The entire message content consists of
the single header:
Message-ID: <8[10
and that's it!
So, buggy ratware? Someone trying to exploit a vulnerable SMTP server?
Bizarre...
On one of our scanners:
$ fgrep -c 'size=18,' /var/log/mail-daily/current.log
1993
(out of 459997 messages, so 0.4%)
and:
fgrep 'size=18,' /var/log/mail-daily/current.log | sed -e 's/.*msgid=//' -e 's/, .*//' | sort | uniq -c
199 <0[10
202 <1[10
182 <2[10
209 <3[10
188 <4[10
196 <5[10
212 <6[10
226 <7[10
193 <8[10
191 <9[10
Regards,
Dianne.
Re: Weird empty messages
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 8 May 2015, at 11:46, Dianne Skoll wrote:
> Hi,
>
> We are seeing a trickle of weird empty messages. Here's a sample
> Sendmail log:
>
> May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100:
> from=<Ra...@cttstone.com>, size=18, class=0, nrcpts=1,
> msgid=<8[10, proto=SMTP, daemon=MTA,
> relay=50-242-22-73-static.hfc.comcastbusiness.net [50.242.22.73] (may
> be forged)
>
> Note the size of 18 bytes. The entire message content consists of
> the single header:
>
> Message-ID: <8[10
>
> and that's it!
>
> So, buggy ratware? Someone trying to exploit a vulnerable SMTP
> server?
> Bizarre...
A blast from the past!
Yes, it's buggy ratware. I haven't seen those in volume since ~2007. I
believe the CBL treats that as a signature so if you're using it (or
Spamhaus Zen) ahead of SA, you should see very few of those unless the
senders have figured out how to hide from CBL detection.
Re: Weird empty messages
Posted by Axb <ax...@gmail.com>.
Massively broken ratware,
safely rejectable with a MTA header rule detecting
/^Message-ID: \<\d\[\d/
On 08.05.2015 17:46, Dianne Skoll wrote:
> Hi,
>
> We are seeing a trickle of weird empty messages. Here's a sample
> Sendmail log:
>
> May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100:
> from=<Ra...@cttstone.com>, size=18, class=0, nrcpts=1,
> msgid=<8[10, proto=SMTP, daemon=MTA,
> relay=50-242-22-73-static.hfc.comcastbusiness.net [50.242.22.73] (may
> be forged)
>
> Note the size of 18 bytes. The entire message content consists of
> the single header:
>
> Message-ID: <8[10
>
> and that's it!
>
> So, buggy ratware? Someone trying to exploit a vulnerable SMTP server?
> Bizarre...
>
> On one of our scanners:
>
> $ fgrep -c 'size=18,' /var/log/mail-daily/current.log
> 1993
>
> (out of 459997 messages, so 0.4%)
>
> and:
>
> fgrep 'size=18,' /var/log/mail-daily/current.log | sed -e 's/.*msgid=//' -e 's/, .*//' | sort | uniq -c
>
> 199 <0[10
> 202 <1[10
> 182 <2[10
> 209 <3[10
> 188 <4[10
> 196 <5[10
> 212 <6[10
> 226 <7[10
> 193 <8[10
> 191 <9[10
>
> Regards,
>
> Dianne.
>
Re: Weird empty messages
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 08 May 2015 13:14:56 -0400
"Kevin A. McGrail" <KM...@PCCC.com> wrote:
> Haven't seen any get through our spam filters, though and they
> typically score really high (40+).
Yes, none have got through for us either... all scoring at least 15 or so.
I'm just trying to figure out the motivation behind them (or indeed if it's
a bug on the part of spamware authors.)
Regards,
Dianne.
Re: Weird empty messages
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/8/2015 11:46 AM, Dianne Skoll wrote:
> $ fgrep -c 'size=18,' /var/log/mail-daily/current.log
We have apparently seen these for 54 days.
Here's the first: Mar 17 05:12:00 intel1 sendmail[21710]:
t2H9Bt6J021710: from=<fu...@estroweb.com>, size=18, class=0,
nrcpts=3, msgid=<5[10, proto=SMTP, daemon=MTA, relay=ip93-136.ibw.com
[190.211.93.136] (may be forged)
Haven't seen any get through our spam filters, though and they typically
score really high (40+).
Regards,
KAM