Mailing List CGatePro@mail.stalker.com Message #96906
From: Technical Support, Stalker Labs <support@stalker.com>
Subject: Re: New way of sending spam??
Date: Sun, 14 Dec 2008 21:02:10 +0300
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hello,
 Jeff Wark on 11.12.2008 20:17 wrote:

[Note: recipient addresses in the logs have been changed to protect the innocent.  IP addresses remain the same as do email addresses in the included header sample.]

We have had a customer questioning the amount of bouncebacks he was receiving this morning.

Initially, I just thought that someone had used his email address as the Return-Path and he was getting some backscatter.  However, the logs contained the following lines:

04:58:42.41 4 SMTPI-95731([216.16.236.101]) rsp: 250 SMTP state reset
04:58:42.45 4 SMTPI-95731([216.16.236.101]) cmd: MAIL FROM:<>
04:58:42.45 4 SMTPI-95731([216.16.236.101]) rsp: 250 <> sender accepted
04:58:42.49 4 SMTPI-95731([216.16.236.101]) cmd: RCPT TO:<user1@example.com>
04:58:42.49 4 SMTPI-95731([216.16.236.101]) rsp: 250 user1@example.com will leave the Internet
04:58:42.49 4 SMTPI-95731([216.16.236.101]) cmd: RCPT TO:<user2@example.com>
04:58:42.50 4 SMTPI-95731([216.16.236.101]) rsp: 250 user2@example.com will leave the Internet
04:58:42.50 4 SMTPI-95731([216.16.236.101]) cmd: RCPT TO:<user3@example.com>
04:58:42.50 4 SMTPI-95731([216.16.236.101]) rsp: 250 user3@example.com will leave the Internet
04:58:42.50 4 SMTPI-95731([216.16.236.101]) cmd: RCPT TO:<user4@example.com>
04:58:42.50 4 SMTPI-95731([216.16.236.101]) rsp: 250 user4@example.com will leave the Internet
04:58:42.75 4 SMTPI-95731([216.16.236.101]) cmd: DATA
04:58:42.75 4 SMTPI-95731([216.16.236.101]) rsp: 354 Enter mail, end with "." on a line by itself
04:58:42.81 2 SMTPI-95731([216.16.236.101]) [103379590] received, 3408 bytes
04:58:42.81 4 SMTPI-95731([216.16.236.101]) rsp: 250 103379590 message accepted for delivery
04:58:42.87 4 SMTPI-95731([216.16.236.101]) cmd: RSET

My understanding, limited though it may be, says that empty return paths are generally delivery status notifications of some sort sent to the original sender.

Generally, but not exclusively.

Empty return-path only means that the sender does not want to receive any notifications/bounces about problems delivering that message. The sender can be not only MAILER-DAEMON but anything else, e.g. a mailing list where there are can be multiple recipients in one message. So such messages are pretty legitimate.

> If so, how can this message with an empty return path
be sent to 4 different people?  It seems to me that this is just another clever way to deliver spam to people in that it may more effectively get them to open the message.

Oh yeah, and the headers in the original bounced message contained no reference to any of the accounts listed up in the logs, or any of our IP addresses:

*snip*
Received: from aimla.com ([77.127.130.155]) by OPENFIRE.cacrawco.local with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 11 Dec 2008 06:08:25 -0500
To: <contractorsauto@crawco.ca>
Subject: Re: Order status
From: <contractorsauto@crawco.ca>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Return-Path: contractorsauto@crawco.ca
Message-ID: <OPENFIRESWerOc0Ne0P000012be@OPENFIRE.cacrawco.local>
X-OriginalArrivalTime: 11 Dec 2008 11:08:25.0626 (UTC) FILETIME=[C9CB5FA0:01C95B80]
Date: 11 Dec 2008 06:08:25 -0500
*snip*

So, I guess my question is, can anyone confirm or deny my suspicions or has anyone seen this behaviour before?  I thought that there should always be only one recipient if the Return-Path was empty.



--
Sincerely,
Roman

=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your reply.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster