Re: [Exim] Re: Bloated Content-type header - a known spammer…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Suresh Ramasubramanian at <-
MMSuresh Ramasubramanian at ->
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Suresh Ramasubramanian
CC: Exim users list
Subject: Re: [Exim] Re: Bloated Content-type header - a known spammer abuse, or what?
On Sun, 30 Dec 2001, Suresh Ramasubramanian wrote:

> +++ Alan J. Flavell [exim-users] <29/12/01 20:36 +0000>:
> > Content-type:
> > text/plain;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
>
> > This is presumably intended to break something, but I'm not sure what.
> > I tried various web searches for the symptoms, but was unable to
> > devise search terms which produced a useful match.
>
> Search for 'mailgod'.

Thanks. Perhaps it would be useful for me to post the results of my
search, in case someone else hits this symptom... (apologies if this
is felt to be off-topic for an exim-specific list, but perhaps we can
devise effective exim recipes for tossing such mails...)


I found lots of trails leading to copies of something called
"the alt.spam FAQ", which contained the line

Received: from The.sender.of.this.untracable.email.used.MAILGOD.by.IMI

but didn't seem to be otherwise informative on details.

Excluding those from the search produced some more-interesting hits.

This hit: http://handsonhowto.com/pmail102.html looked useful.
but appears to be referring specifically to a Received: header with
lots of "................." on the end. I've now found some of those
in the log too, but I've no proof that these are the same thing as
what I'm quoting above (sure, it's evidently in the same general
ballpark).

http://www.exim.org/pipermail/exim-users/Week-of-Mon-19980810/008721.html
again refers to a Received: header.

> This is an attempted buffer overflow exploit which
> will likely crash older sendmails (SMI/SVR4 and such),

From the discussions that I found, I believe the intention of the
over-long Received: line was to hide information which would have
helped in tracing the source of the mail.

I can't see any benefit in _spammers_ actually crashing sendmail;
nothwithstanding that _crackers_ might be interested in doing so, but
that's a separate issue - I didn't find any reference to 'mailgod'
at CERT.

http://www.oitc.com/EIMS/SimpleTextFilterPrefs.txt also popped out of
the Google search, incidentally.

Hope this is useful to someone.

all the best




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Setting up Exim for Virtual Domains[Exim] Re: Bloated Content-type header - a known spammer abuse, or what?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)