mouss writes: > Arvid Ephraim Picciani wrote: > > On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote: > > > > > >> I've looked at it and I've (probably) missed it (again). Why do you think > >> that it pretends to look like backscatter, and why do you think it is not? > >> > > > > backscatter is what happens if mail systems automaticly reply to forged > > From: > > headers. > > In this case the mail was never sent over any third party. It claims to be > > bounceback from my own MTA, while in fact it never went through any MTA > > (directly sent from dialup). > > I'm worried that this might be a new form of joe jobbing. Ie somone sends > > out > > mails that look like bounceback from your machines. > > Fake NDRs have been discussed few years ago. for example, sophos "spam > and the non-delivery report.." dates back to March 2004.
Sophos are just wrong though. They are assuming that backscatter is being sent by a spammer, which in almost all cases makes no sense and is (in my opinion) certainly not the case. > That said, one possibility is this: Some soho have an MSA on a dsl line. > a ratwared box inside (or a web service running on the MSA box) sends > mail to an invalid recipient. the MSA gets rejected and then sends you > an NDR. the MSA is borked enough to helo with the recipient domain, and > generates an incomplet NDR. I think this may be it; some MTAs will qualify a MAIL FROM:<MAILER-DAEMON> into an envelope sender address of <[EMAIL PROTECTED]>. certainly an odd case, but I don't see any benefit for a spammer to send that mail. --j.
