Hi, Is anyone seeing a rash of spams with these characteristics?
1) Subject is "RE: Hello" 2) From: header is randomly-generated "first_l...@somedomain.com 3) Envelope sender is in the nacha.org domain 4) SPF fails 5) Message body consists only of this: "Im fine thanks , RandomFirstName" 6) It seems to be injected directly from a compromised Windows box; our spam analysis is: Sending relay 77.30.72.215 appears to run Windows XP Sending relay 77.30.72.215 link type appears to be DSL 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 5 SPF query returned 'fail' 0 DKIM query returned none (d=rsla.com) Custom Rule 37: (1.2 points) relay contains [ 4.6 Originated from country-code SA Compound Rule 9 (Mail from Windows XP box): (1.0 points) Word: domain*nacha.org (0.990) Word: fine (0.990) Word: fine+thanks (0.990) Word: fpof*XP (0.990) Word: fpos*Windows (0.990) Word: fpos*Windows+XP (0.990) Word: gctld*SA+org (0.990) Word: gi*SA+06+Dammam (0.990) Word: s*Hello (0.990) Word: s*RE (0.990) Word: s*RE+Hello (0.990) Word: gr*SA+06 (0.981) Word: gl*26+50 (0.978) Word: fpos*Windows+XP+DSL (0.962) Word: Bryon (0.940) Can anyone guess what the point of these is? Regards, David.
