On Tue, Jul 01, 2003 at 06:14:22PM +0100,
Alan J. Flavell <a.flavell@???> is thought to have said:
> Are other sites seeing this same effect? What could be the cause?
>
> Immediate thoughts are -
>
> 1. spam or other unwanted matter being sent to these bona fide sites
> with counterfeited sender addresses, and the sites are now trying to
> bounce the spam;
>
> 2. spam or other unwanted matter being offered to these bona fide
> sites, and they're trying "callbacks" to verify the counterfeited
> sender addresses prior to acceptance; (but is "callback" so widely
> used?)
>
> 3. some new trick for doing address-list washing or dictionary
> scanning, involving innocent bona fide third-party MTAs(?)
>
> Since we're rejecting these at RCPT time, I've no way of
> distinguishing between different scenarios.
Add aliases for a couple of those non-existant addresses to your mailbox and
take a look.
My suspicion is:
4. Infected emails forged with non-existant senders at your site bouncing
off of another site's AV filters.
That is the cause of all of mine that match this pattern.
> (I'm not sure if it's coincidence or not that this is happening around
> the same time as Sobig/E. But surely Sobig/E is counterfeiting valid
> addresses as its sender, rather than inventing non-existent ones?)
Not necessarily. There are several email worms (not sure if Sobig.E is one
of them) that pick random local parts and domains and match them up for the
sender based on the contents of the infected user's mailbox/address book.
--
--------------------------------------------------------------------
Tabor J. Wells twells@???
Fsck It! Just another victim of the ambient morality
