I've seen it too (today), I forwarded the (complete) message on to the
email address mentioned in the error message and I received this reply
back:
%% Thanx a lot, i have just found what is the error about!
%%
%% I got 5 messages like yours and yours one is the only one which helped
%% me to find the reasons, thanx again!
%%
%% Wednesday, January 8, 2003, 7:24:06 AM, you wrote:
%%
%% GH> Hi there,
%%
%% GH> not sure why I got this messsage, but someone might be trying to
%% GH> use your machine to send spam through. Thought you might like to
%% GH> check it out.
%%
%% GH> CHeers,
The original SPAM that I got had an empty Subject line.
No. No idea who, what or why. Would be interesting to find out exactly
what the heck was going on. For now I'm willing to think that it was just
a case of a spammer finding a potential box with standard misbehaving
tools (formmail??) and getting bitten by a misconfiguration in the
script / the server.
CHeers,
GertJan.
+++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com
/^...[discover].$/d Remembering Mike Carty 1968-1994
/^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/words I'm Dutch, what's _your_ excuse?
Apparently, Jay D. Dyson wrote:
% -----BEGIN PGP SIGNED MESSAGE-----
% Hash: SHA1
%
% Hi folks,
%
% I deal with despamming quite a bit, so I like to think I've seen
% it all by now. Even so, this one has me flummoxed.
%
% The following e-mail (appended to the end of this note) arrived in
% my mailbox with a currently-popular spam subject ("New concept of giving
% for [userid]"). The body of the message was base64 encoded. So I did my
% ARIN lookup on the sender, began composing my complaint to the offending
% ISP, and then decoded the base64 content.
%
% That's where I stopped on a dime. The message wasn't anything
% remotely resembling a pitch. In fact, it was a verbatim Apache error
% message (listed following the appended e-mail).
%
% So, all things considered, am I:
%
% 1. looking at the output from a broken mail worm, or;
% 2. dealing with a second- or third-rate spammer who just doesn't
% know what the heck he's spewing out, or;
% 3. receiving an attempted spam mail through a broken web->mail
% gateway, or;
% 4. none of the above?
%
% Right now I'm leaning toward the likelihood of item #3 since the
% mail headers have all the hallmarks of a spam message (forged From: data,
% contemporary spam subject, base64 encoding), but the content just throws
% me off. It's obviously not a sales pitch and, near as I can see, is a
% genuine Apache error report. I guess with the proliferation of viral and
% spam trickery with header data, the line between these two forms of
% unsolicited bulk e-mail has blurred.
%
% As an aside, I went to the IP listed in the error and there is
% such a server at that IP and it is running the listed Apache version.
%
% So what's the consensus? Anyone else seen this in their inbox?
%
% - -Jay
%
% - -----BEGIN ATTACHED MESSAGE-----
%
% Return-Path: <Verenash@mail-online.dk>
% Delivered-To: [redacted]
% Received: (qmail 7586 invoked from network); 8 Jan 2003 15:05:16 -0000
% Received: from ca-yuccavalley2a-187.vnnyca.adelphia.net (HELO tboeokc) (68.66.228.187)
% by mail.treachery.net with SMTP; 8 Jan 2003 15:05:16 -0000
% From: Freda Craig <Verenash@mail-online.dk>
% To: [redacted]
% Subject: New concept of giving for [redacted]
% Date: Wed, 08 Jan 2003 07:14:19 -0800
% Content-Type: text/plain
% Content-Transfer-Encoding: base64
% Message-Id: <bclsobwt@mail-online.dk>
% Content-Length: 825
%
% PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4NCjxI
% VE1MPjxIRUFEPg0KPFRJVExFPjUwMCBJbnRlcm5hbCBTZXJ2ZXIgRXJyb3I8L1RJVExFPg0K
% PC9IRUFEPjxCT0RZPg0KPEgxPkludGVybmFsIFNlcnZlciBFcnJvcjwvSDE+DQpUaGUgc2Vy
% dmVyIGVuY291bnRlcmVkIGFuIGludGVybmFsIGVycm9yIG9yDQptaXNjb25maWd1cmF0aW9u
% IGFuZCB3YXMgdW5hYmxlIHRvIGNvbXBsZXRlDQp5b3VyIHJlcXVlc3QuPFA+DQpQbGVhc2Ug
% Y29udGFjdCB0aGUgc2VydmVyIGFkbWluaXN0cmF0b3IsDQogYXJyb0BhcnJvLnJ1IGFuZCBp
% bmZvcm0gdGhlbSBvZiB0aGUgdGltZSB0aGUgZXJyb3Igb2NjdXJyZWQsDQphbmQgYW55dGhp
% bmcgeW91IG1pZ2h0IGhhdmUgZG9uZSB0aGF0IG1heSBoYXZlDQpjYXVzZWQgdGhlIGVycm9y
% LjxQPg0KTW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGlzIGVycm9yIG1heSBiZSBhdmFpbGFi
% bGUNCmluIHRoZSBzZXJ2ZXIgZXJyb3IgbG9nLjxQPg0KPEhSPg0KPEFERFJFU1M+QXBhY2hl
% LzEuMy4yMCBTZXJ2ZXIgYXQgMjA5LjUxLjE0Mi4xNDAgUG9ydCA4MDwvQUREUkVTUz4NCjwv
% Qk9EWT48L0hUTUw+DQo=
%
% - ----- END ATTACHED MESSAGE -----
%
%
% - -----BEGIN DECODED CONTENTS-----
%
% <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
% <HTML><HEAD>
% <TITLE>500 Internal Server Error</TITLE>
% </HEAD><BODY>
% <H1>Internal Server Error</H1>
% The server encountered an internal error or
% misconfiguration and was unable to complete
% your request.<P>
% Please contact the server administrator,
% arroat_private and inform them of the time the error occurred,
% and anything you might have done that may have
% caused the error.<P>
% More information about this error may be available
% in the server error log.<P>
% <HR>
% <ADDRESS>Apache/1.3.20 Server at 209.51.142.140 Port 80</ADDRESS>
% </BODY></HTML>
%
% - ----- END DECODED CONTENTS -----
%
% -----BEGIN PGP SIGNATURE-----
% Version: GnuPG v1.0.7 (TreacherOS)
% Comment: See http://www.treachery.net/~jdyson/ for current keys.
%
% iD8DBQE+HKm/TqL/+mXtpucRAjsqAJ9bNiXDx9hsD/Ac77wXHBItOE/8vACggO4S
% thbW3lsscYSmzc559Nk8GJo=
% =0rWN
% -----END PGP SIGNATURE-----
%
%
% ----------------------------------------------------------------------------
% This list is provided by the SecurityFocus ARIS analyzer service.
% For more information on this free incident handling, management
% and tracking system please see: http://aris.securityfocus.com
%
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 23:42:42 PST