Not only Exchange 2K servers are affected. Let's see a snippet of my malhub:
<snip>
According to the 'Received:' trace, the message originated at:
nctta.org (nctta-org-bk.mr.outblaze.com [205.158.62.181])
The message WAS NOT delivered to:
<a1aaa1azzzz1zaaaaa@???>:
550 5.7.1 Message content rejected, UBE, id=29788-03
</snip>
<snip>
Received: from nctta.org (nctta-org-bk.mr.outblaze.com [205.158.62.181])
by 212.68.242.53.brutele.be (Postfix) with ESMTP id 53062264EF
for <a1aaa1azzzz1zaaaaa@???>; Wed, 27 Jul 2005 20:20:05 -0500
</snip>
As you can see in my case was a Postfix server (probably under a double
mta configuration) whom is bouncing me or trying to bounce me.
Spam, the evil of the actual mail.
BR,
jonathan
Ted Cooper wrote:
> Wakko Warner wrote:
>
>>Mark Smith wrote:
>>
>>>>Subject: [exim] Weird RCPT TO address
>>>>
>>>>a1aaa1azzzz1zaaaaa@<local domain>
>>>>
>>>>Anyone else seeing this?
>>>
>>>Yes, coming from a variety of zombies.
>>
>>
>>I just recently started seeing this. Wondering if this was due to spammers
>>trying to exploit servers that accept/bounce.
>>
>
>
> Probably. Default exchange(2k) behaviour is to still accept the mail and then
> bounce it if it can't deliver it anywhere. I've had hits on a number of servers..
>
> 2005-07-27 15:43:04 H=(200-101-188-071.cbrbr200.dial.brasiltelecom.net.br)
> [200.101.188.71] F=<ceosg@???> rejected RCPT
> <a1aaa1azzzz1zaaaaa@???>: Unknown user
>
> Also the exact same local part so they're all going to be from the one bot net.
>
> Ted.
>
>
