On 15/12/2009 07:25, Rajkumar S wrote:
Occasionally I receive mail from compromised web mails asking user
name and password from my users. The source IPs are usually clean (as
they are legitimate mail servers) and do not catch any ip based rules.
Usually one or two mail accounts are used to pump mails via web mail
after authentication.
I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399
It is interesting to note that the victim was using Barracuda anti
spam appliance which also failed to catch this spam. Any ideas to
tackle such spam is very much welcome.
That particular email was sent from a host in Nigeria connecting to a
host in Brazil. The Nigerian host is listed on Barracuda, the SBL and
the XBL. The From header uses a domain name that isn't registered
(swinepro.net) and a freemail Reply-To. It's also currently hitting Pyzor.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/
