Filters That Fight Back
David Relson
relson at osagesoftware.com
Tue Sep 2 18:04:50 CEST 2003
On Tue, 02 Sep 2003 13:27:37 +0100
"Peter Bishop" <pgb at adelard.com> wrote:
> On 2 Sep 2003 at 8:06, David Relson wrote:
>
> > A couple of weeks back, one of the userids at osagesoftware.com
> > received a set of false bounces. Since I know that userid has sent
> > 1 or 2 emails in the past year and receives approx 1 legit email a
> > week, I'm willing to bet that there was some chicanery involved.
> > The total number of bounce messages was small, perhaps a dozen or
> > two..
>
> I must admit I saw the same thing - One possible culprit is the SoBig
> worm that uses random return addresses selected from the addressbook
> of the penetrated machine. A bounce to the actual sender might be a
> useful warning of infestation, but bounces to the forged sender could
> be very puzzling - it certainly worried me for a while until I saw
> that my spamtrap userid was also getting similar bounces.
Yep, it's happening again. So far two bounces of 100k each from
ithaca.servershost.net [69.61.15.100], with originating ip of
68.145.122.133 - which is NOT my domain.
Checking the subject lines and attachments, it _does_ appear to be
SoBig.
To tie this to the current thread --- This is what happens when the
sender is forged and the bounce message goes to the forged sender rather
than the true sender.
More information about the Bogofilter
mailing list