[SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.

Matthew Wilson matthew at boomer.com
Fri Apr 8 07:54:23 CEST 2005


What's even funnier is that GFI just announced yesterday they are
building SURBL checking into their anti-spam software (which, by the
way, is very widely used on Exchange servers in the USA).  

http://www.gfi.com/news/en/mes11launch.htm

Matthew Wilson, MCSE (2003), MCSA-Messaging
Network Administrator
matthew at boomer.com
Boomer Consulting, Inc.
610 Humboldt
Manhattan, KS 66502
http://www.boomer.com
1-888-266-6375 x 17
 

> -----Original Message-----
> From: discuss-bounces at lists.surbl.org 
> [mailto:discuss-bounces at lists.surbl.org] On Behalf Of List Mail User
> Sent: Friday, April 08, 2005 12:46 AM
> To: discuss at lists.surbl.org; spamassassin at dostech.ca
> Cc: track at plectere.com; postmaster at gfi.com; abuse at gfi.com
> Subject: Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, 
> just minutes ago.
> 
> >...
> >
> >List Mail User wrote:
> >  > P.S.  I refused it, so I don't know what it was.  I do know the
> >> domain registration is false;  There is no city named "San Gwann"
> >> in the country of Malta.
> >
> >http://www.holidays-malta.com/locality_info/san_gwann.htm
> >
> >
> 	Apparently not a "city" but a recognized "village"; I 
> guess it's like living in unincorparated parts of LA.  Note 
> the company claims to be "GFI Software Ltd" and sell 
> anti-spam, anit-virus and email products.
> Did anyone actually receive the email?  Was it just directed at me?
> Another batch of attempts just occurred:
> 
> Apr  7 22:22:26 mailhub postfix/qmgr[14119]: D6A9C6A44: 
> removed Apr  7 22:22:31 mailhub postfix/smtpd[24110]: connect 
> from mailgate.gfi.com[80.85.99.13] Apr  7 22:22:32 mailhub 
> postfix/smtpd[24110]: NOQUEUE: reject: RCPT from 
> mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo 
> command rejected: Host not found; 
> from=<discuss-bounces at lists.surbl.org> 
> to=<track at plectere.com> proto=ESMTP helo=<passthrough> Apr  7 
> 22:22:33 mailhub postfix/smtpd[24110]: lost connection after 
> RSET from mailgate.gfi.com[80.85.99.13] Apr  7 22:22:33 
> mailhub postfix/smtpd[24110]: disconnect from 
> mailgate.gfi.com[80.85.99.13] Apr  7 22:22:33 mailhub 
> postfix/smtpd[24110]: connect from 
> mailgate.gfi.com[80.85.99.13] Apr  7 22:22:34 mailhub 
> postfix/smtpd[24110]: NOQUEUE: reject: RCPT from 
> mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo 
> command rejected: Host not found; 
> from=<discuss-bounces at lists.surbl.org> 
> to=<track at plectere.com> proto=ESMTP helo=<passthrough> Apr  7 
> 22:22:34 mailhub postfix/smtpd[24110]: lost connection after 
> RSET from mailgate.gfi.com[80.85.99.13] Apr  7 22:22:34 
> mailhub postfix/smtpd[24110]: disconnect from 
> mailgate.gfi.com[80.85.99.13] Apr  7 22:22:34 mailhub 
> postfix/smtpd[24110]: connect from 
> mailgate.gfi.com[80.85.99.13] Apr  7 22:22:35 mailhub 
> postfix/smtpd[24110]: NOQUEUE: reject: RCPT from 
> mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo 
> command rejected: Host not found; 
> from=<discuss-bounces at lists.surbl.org> 
> to=<track at plectere.com> proto=ESMTP helo=<passthrough> Apr  7 
> 22:22:36 mailhub postfix/smtpd[24110]: lost connection after 
> RSET from mailgate.gfi.com[80.85.99.13] Apr  7 22:22:36 
> mailhub postfix/smtpd[24110]: disconnect from 
> mailgate.gfi.com[80.85.99.13] Apr  7 22:22:36 mailhub 
> postfix/smtpd[24110]: connect from 
> mailgate.gfi.com[80.85.99.13] Apr  7 22:22:37 mailhub 
> postfix/smtpd[24110]: NOQUEUE: reject: RCPT from 
> mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo 
> command rejected: Host not found; 
> from=<discuss-bounces at lists.surbl.org> 
> to=<track at plectere.com> proto=ESMTP helo=<passthrough> Apr  7 
> 22:22:37 mailhub postfix/smtpd[24110]: lost connection after 
> RSET from mailgate.gfi.com[80.85.99.13] Apr  7 22:22:37 
> mailhub postfix/smtpd[24110]: disconnect from 
> mailgate.gfi.com[80.85.99.13]
> 
> 
> 	If they are legitimate, I certainly wouldn't want to 
> buy any anti-virus or anti-spam software from these people!
> 
> 	They are running an open relay:
> 
> % telnet mailgate.gfi.com 25
> Trying 80.85.99.13...
> Connected to mailgate.gfi.com.
> Escape character is '^]'.
> 220 mailgate.gfi.com Microsoft ESMTP MAIL Service, Version: 
> 6.0.3790.1830 ready at  Fri, 8 Apr 2005 07:43:44 +0200 helo 
> plectere.com 250 mailgate.gfi.com Hello [64.32.188.109] mail 
> from: <> 250 2.1.0 <>....Sender OK rcpt to: 
> <test at plectere.com> 250 2.1.5 test at plectere.com quit
> 221 2.0.0 mailgate.gfi.com Service closing transmission 
> channel Connection closed by foreign host.
> 
> 	Paul Shupak
> 	track at plectere.com
> _______________________________________________
> Discuss mailing list
> Discuss at lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
> 
> 
> 




More information about the Discuss mailing list