Chris Linfoot | Fill in the blanks

Thursday, 7. October 2004

Fill in the blanks

A brief flurry of spams from what appear to be SW Bell dial-up IPs this morning caught my attention. All have subject lines like "Licensed Office Application. Licensed Operating System. Other Licensed Application."

That word "licensed" seems to protest too much, doesn't it? But that was not what really grabbed my attention.

No, it was the received headers that first caught my eye. Each spam had only one received header. As you may know, Domino records in its received header the phrase used in HELO/EHLO and the connecting IP (from), the FQHN of the receiving host (by), the protocol and message id (with) and the date and time the header was written. The very first of these (HELO/EHLO) was in each case:

<rnddg[2]>.<rnddg[2]>.<rnddg[2]>.<rnddg[2]>

Methinks spammy forgot to fill in the blanks. Now, what spamware populates its HELO phrase with the same random number, repeated four times and separated by periods?

Another golden filtering opportunity.

The complete header of a sample is shown below:

Received: from <rnddg[2]>.<rnddg[2]>.<rnddg[2]>.<rnddg[2]> ([209.184.230.189])
          by my.domino.host (Lotus Domino Release 6.5.2)
          with SMTP id 2004100708540530-9597 ;
          Thu, 7 Oct 2004 08:54:05 +0100 
Date: Thu, 07 Oct 2004 07:53:58 +0000
From: spammer@someplace
Subject: Licensed Office Application. Licensed Operating System.
   Other Licensed Application. 999 (victim@myplace)
To: Victim <victim@myplace>
References: <????????????????@myplace>
In-Reply-To: <????????????????@myplace>
Message-ID: <????????????????@someplace>
MIME-Version: 1.0
Content-Type: text/plain;
		 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Category: Spam miscellany
Technorati: Spam miscellany

Comments :

None yet...

Unable to post a comment? Please read this for a possible explanation...

Chris-Linfoot.net