On 03/31/2011 08:59 AM, Michael Scheidell wrote: > all those nice ups.com rules, tests and signatures? > > the EXACT same file that was in a ups.com virus? is now being sent > 'from' dhl.com (come on ups/dhl.. I know SPF is broken, but in this > case it would sure help is decide if the sending ip is authorized to > send on your behalf)
What rules? Running `grep -Pri '\b\w?ups' rules*` ('\w?' allows for
matching '\bups') hits only one related rule, DOS_FAKE_UPS_TRACK_NUM,
which is still in testing (and keys on the word 'UPS' in the subject,
not the domain).
I'm recalling DHL scams being more prevalent than UPS for a long long
time, but ymmv.
> with some pretty weird received lines: is this 'ipv8'?
>
> received:from smtp1.txfxczpw.net ([11169.98.12888.1258]) by
> relay.cxjrc.com with SMTP; Thu, 31 Mar 2011 09:09:04 -0600
> message-id:<2e9701cbef83$48a30ab0$6500a8c0@MERIDA>
Hah, somebody forgot an upper bound on their random number generator!
I've never seen a fake IP octet greater than the three hundreds (TV
shows sometimes use those like 555- phone numbers).
signature.asc
Description: OpenPGP digital signature
