[Esa-l]"Cloaking" version of Sircam

Camden Spiller camden at arrowtech.net
Wed Aug 1 13:49:28 PDT 2001 

I've also got a few Sircam's from prodigy.net.mx with headers including:

Return-path: <"*^L ^A^L^A"@prodigy.net.mx>
Received: from panam2.panam.edu ([129.113.1.3])
        by my.mail.server with esmtp (Exim 3.22 #1)
        id 15RJbj-00072V-00

Does anyone recognize that "*^L ^A^L^A" part as a common exploit attempt?

Camden


----- Original Message -----
From: "Brett Glass" <brett at lariat.org>
To: <esa-l at spconnect.com>
Sent: Wednesday, August 01, 2001 3:04 PM
Subject: [Esa-l]"Cloaking" version of Sircam


> Just got a copy of Sircam with the following headers:
>
> >> From Student.Publications at prodigy.net.mx  Wed Aug  1 13:34:34 2001
> >> Return-Path: <Student.Publications at prodigy.net.mx>
> >> Received: from portia.cc.emory.edu (portia.cc.emory.edu
[170.140.204.3])
> >>       by lariat.org (8.9.3/8.9.3) with ESMTP id NAA18398
> >>       for <brett at lariat.org>; Wed, 1 Aug 2001 13:34:29 -0600 (MDT)
> >> Received: from Student (dhcp19739.duc.emory.edu [170.140.197.39])
> >>       by portia.cc.emory.edu (8.10.2/8.10.2) with SMTP id f71JYSr09285
> >>       for <brett at lariat.org>; Wed, 1 Aug 2001 15:34:29 -0400 (EDT)
> >> Message-Id: <200108011934.f71JYSr09285 at portia.cc.emory.edu>
> >> From: "Student Publications"<Student.Publications at prodigy.net.mx>
> >> To: brett at lariat.org
> >> Subject: manifest
> >> date: Wed, 1 Aug 2001 03:37:57 -0400
> >> MIME-Version: 1.0
>
> Note that it's disguising itself as a customer of the Mexican
> Prodigy service when in fact the mail didn't touch any of Prodigy's
> servers; it came from emory.edu. (I suspect that the mail actually
> originated from "Student.Publications at emory.edu", though I haven't
> confirmed this yet. This means that, as with Hybris, most recipients
> won't be able to determine how to send abuse reports. Nasty.
>
> --Brett Glass
> _______________________________________________
> E-mail Security Announce list mailing list
> E-mail Security Announce list at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esa-l

More information about the esd-l mailing list