So here I am, wrapping up for the night and doing one last check of email before going to bed. What do I find? Yep, yet another spam. But wait this one is different someone messed up as you can see from the To and From lines:
From: "[%from_name%]" <"[%from_email%]"@open2space.com> To: <"[%to%]"@open2space.com>
Now that irks me. Someone trying to hijack my domain to send me unwanted mail, and can't be bothered to use their script-kiddie tool properly. And even worse, advertising software like Photoshop, Windows, Office, etc. To me. A tech. Who KNOWS where to find these things for free if I ever wanted to. Who has no NEED for these things because I've embraced the open source solutions.
So, not only do I have a dim-wit who can't use a script kiddie program properly, but he/she is trying to sell ice in the middle of the Antartic. On the coldest day of the year.
So, of course I have to dig a little. The mail headers seem to be suitably obfuscated. The bulk of the entries are from my own servers, which would be expected, and makes use of my domain name liberally. But then there is this line:
Received: from localhost (unknown [221.212.30.51])
Received from localhost at 221.212.30.51??? When localhost is ALWAYS 127.0.0.1. Its a standard. So, I tried to bring that up in a web browser, with no response. Then I tried to ping it - yep, it's up and running. Next I ran an NMAP on that IP, to see what services appear to be running, with the following results:
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-29 02:40 MST Interesting ports on 221.212.30.51: (The 1668 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 135/tcp open msrpc 445/tcp open microsoft-ds 1000/tcp open cadlock 1720/tcp filtered H.323/Q.931
A Microsoft box, why am I not surprised. That means that the originator is probably some unfortunate soul who doesn't know their box has been owned by spyware and/or trojans. That also means the box will likely not be active for too long, and the IP is probably dynamic. (This is just a quick judgment from the open ports - It could be a server I guess...)
So, do I blacklist the IP? Or the supposed domain the message came from (in one of the other mail headers). Do I dig deeper and do a reverse whois? (ok, I was curious and did that - the IP originates in China - again I'm not surprised) Do I do retaliate? Probably not worth the effort. But the message will be added to the queue for Spamassassin to learn.
Sigh I can't wait until Microsoft fixes their products to prevent this sort of abuse. Their specialized security software is totally meaningless, until their core product is secured. (Don't believe me? Check out this article.) Which means I'll be sticking with Linux and Open Source for years to come...