Mailing List SIMS@mail.stalker.com Message #14798
From: Warren Michelsen <Warren@MDCCLXXVI.com>
Subject: Re: Suspect addresses compromised
Date: Mon, 1 Nov 2004 12:05:37 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
At 10:22 AM -0600 11/1/04, NetHead wrote:
>I suspect that somehow the addresses on my mail server have been
>compromised. I have been getting a flood of worm-laden messages, many of
>them showing "FROM:" addresses on our mail server. I wouldn't think much
>of it normally; I'm well aware of the various worms that will hijack the
>address book on an infected computer and use those for forge the "FROM:"
>header. But today I saw one from a brand new e-mail address that has not
>been used yet (at least not to my knowledge).
>
>If I wanted to scour my mail logs for "harvesting" attempts, what key
>words should I use in the filters?

For starters, look for references to the not-yet-used email address.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster