tcsender email bombing

Dennis Simpson wrote:

# Is anyone else seeing concerted bombing from tcsender@<a
# couple of addresses> where the relayhost covers many hosts?

We saw 26 of them today. A mis-configured spoofer showed
what may be the true sender:

from=<tcsender@get-more-hits.com.online-marketing.com> relay=root@mustang.detroit.usweb.com [207.17.162.28]

At least one of the messages contained this USPS address:

EVA, Inc.
43 Riverside Ave.
Suite 72
Medford, MA 02155
USA

Here's what we received (US/Central time):

02:10:37 relay=root@zeus.total-access.net [209.60.65.3]
02:14:18 relay=[204.101.235.67] (may be forged)
02:17:16 relay=gost3.indirect.com [165.247.198.3]
02:24:06 relay=www.unitedmedia.com [207.121.184.84]
02:33:10 relay=fivepoints.com [38.229.187.2]
02:34:14 relay=[206.10.45.200] (may be forged)
02:37:30 relay=fujipub.com [192.41.4.169]
02:39:53 relay=root@astra.genghis.com [205.139.15.34]
02:46:02 relay=root@enteract.com [206.54.252.1]
02:54:42 relay=100t.lauderdale.net [207.141.140.10]
03:12:57 relay=ns1.vie.com [205.214.55.3]
03:15:57 relay=[207.213.148.64] (may be forged)
03:18:07 relay=gateway.foliage.com [209.61.70.2]
03:18:43 relay=root@realbeer.com [204.152.97.15]
03:35:53 relay=boulevards.boulevards.com [204.162.28.70]
03:36:57 relay=amyda.foe.co.uk [193.114.240.82]
03:37:46 relay=root@gemini.speakeasy.org [199.238.226.62]
03:37:49 relay=france-travel.com [192.41.4.181]
03:38:08 relay=root@linked.net [209.24.1.201]
03:38:38 relay=money.fsonline.com [199.171.21.101]
03:39:49 relay=root@linked.net [209.24.1.201]
03:40:48 relay=cyberhost3.com [192.41.31.40]
03:45:00 relay=root@mustang.detroit.usweb.com [207.17.162.28]
03:48:58 relay=root@ns.shelbynet.net [206.246.132.10]
03:49:43 relay=mail@gate.imall.com [207.173.184.8]
03:52:23 relay=mail.devontax.com [204.57.91.69]

Bob