Hi,

You do realize that g_from_exact fixes this issue ?

--Ed

On 05/22/2017 10:44 PM, Peter Ellens wrote:
> Hi Guys
> 
> Just thought I would share a interesting spammer operation I found going 
> on threw our servers.
> 
> The spammers uses hacked e-mail accounts and only sends smallish volumes 
> in a effort to avoid detection, but over a number of accounts.
> 
> Example. Anything in {description} is variable
> 
> Subject: is always empty.
> 
> From: is fake username on real domain, format {firstName lastName 
> <{randomUserNameHIDDEN@ domain name}>
> 
> Body
> 
> Good morning {Random name}
> 
> http://{randomurls}/{random}.php?cat={random key of somesort}
> 
> {same random first name as From line}
> 
> As you can see not much to key on.
> 
> How I tracked them, warning Linux content :P   (sorry windows users, you 
> will have to find some other way to do this)
> 
> This is run from the directory with all your .rec files in it.
> 
> First create a .rec for all e-mails with an empty subject
> 
> grep "s=\[\]" {pick a record file}.rec | cut -f 2 -d"[" | cut -f 1 -d 
> "]" | xargs -i grep {} {same record file}.rec > empty_subject.rec
> 
> This finds all messages with a empty subject, the unique id is 
> extracted, the full log for each unique id is extracted
> 
> This can take a while.
> 
> Then count the number of e-mails each user sent without a subject (all 
> users use smtp auth on our servers)
> 
> grep smtpauth  empty_subject.rec | cut -f 10 -d' ' | cut -f 3 -d= | sort 
> | uniq -c | sort –n
> 
> This grabs the line with smtpauth in it, and extracts the username, then 
> sorts the list, then counts any duplications
> 
> This spits out lots of single instances, but at the bottom you will 
> probably find a bunch of much higher users sending out e-mail with a 
> blank subject
> 
> On average I see < 10 blank e-mails a day from real users and > 200 for 
> hacked accounts, So they stick out like a sore thumb
> 
> You can then further process to find sending IP etc… but looks like its 
> from a botnet, lots of IP sources.
> 
> Happy hunting
> 

-- 
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
IPv6 ready today for your needs of tomorrow!
Ask us about dual-stacking your site
www.easent.net