Mailing List SIMS@mail.stalker.com Message #15133
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Spambot, Right?
Date: Wed, 21 Sep 2005 19:34:58 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 4:08 PM -0700 9/21/05, Warren Michelsen  imposed structure on a stream of electrons, yielding:
This does not appear to be the behavior of a legitimate MTA:

20:28:56 1 SMTP-889([24.14.235.89]) SPAM? Recipient '<blah@blah>' rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:56 1 SMTP-890([24.14.235.89]) SPAM? Host is blacklisted per RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:57 1 SMTP-890([24.14.235.89]) SPAM? Recipient '<blah@blah>' rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:57 1 SMTP-891([24.14.235.89]) SPAM? Host is blacklisted per RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:57 1 SMTP-891([24.14.235.89]) SPAM? Recipient '<blah@blah>' rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:57 1 SMTP-892([24.14.235.89]) SPAM? Host is blacklisted per RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:58 1 SMTP-892([24.14.235.89]) SPAM? Recipient '<blah@blah>' rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:58 1 SMTP-893([24.14.235.89]) SPAM? Host is blacklisted per RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:58 1 SMTP-893([24.14.235.89]) SPAM? Recipient '<blah@blah>' rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"
20:28:58 1 SMTP-894([24.14.235.89]) SPAM? Host is blacklisted per RBL sbl-xbl.spamhaus.org with result [127.0.0.4]
20:28:59 1 SMTP-894([24.14.235.89]) SPAM? Recipient '<blah@blah>' rejected: sending host is blacklisted, "sbl-xbl.spamhaus.org"


blah@blah replaces the actual recipient but the recipient is the same in all instances. IOW, six simultaneous connections from the same IP address to send to the same recipient. Looks like a spambot to me.

Probably a good reason it's in sbl-xbl. Or could this be legit?

Some legitimate mail servers can behave that way. Notably (for charitable definitions of 'legitimate' ) qmail has been known to.

24.14.235.89 is c-24-14-235-89.hsd1.il.comcast.net.

i.e. some residential cable modem without anyone who cares about its name.

Note that it got to the SBL-XBL by way of the XBL, which draws from the CBL. This means that it has done things that look very much like a compromised machine while sending mail to an address in the CBL spamtrap, and that's an extremely reliable way to tell that a machine is in fact compromised.


--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster