Spammer Bust

Jeremy Elson jelson at helix.nih.gov
Fri Sep 5 20:35:17 UTC 1997


On Fri, 5 Sep 1997, Phil Howard wrote:
> One copy of this same spam (but who knows if it is or is not really the
> same spammer) I got appeared to be from PSI.  It came from a PSI connection
> and used Earthlink as a mail hop.  I complained to abuse at psi.net and they
> sent back a reply claiming the mail came from Earthlink.  Well, literally
> I did get it from Earthlink, but it originated from PSI's IP address,
> unless Earthlink faked the IP (but then why would they leave their own
> address on it).
> 
> That's why I tend to believe a lot of ISPs ... and more often the BIGGER
> ones than the smaller ones ... don't know what is going on.

I had two very similar incidents of PSI not knowing what was going on. 
I've gotten a lot of spam that originated from PSI dialup users but using
Earthlink as a mail relay; for example, this one:

Return-Path: mail.earthlink.net at italy.it.earthlink.net 
Return-Path: <mail.earthlink.net at italy.it.earthlink.net>
Received: from hops.cs.jhu.edu  [this is where I received the mail]
           by blaze.cs.jhu.edu with SMTP; Wed, 9 Apr 1997 04:31:17 GMT
Sender: mail.earthlink.net at italy.it.earthlink.net
Received: from italy.it.earthlink.net (italy-c.it.earthlink.net
[204.250.46.18]) by hops.cs.jhu.edu (8.6.12/8.6.9) with ESMTP id AAA05428 for
<jelson at poincare.cs.jhu.edu>; Wed, 9 Apr 1997 00:31:15 -0400
Received: from LOCALNAME (ip55.rocky-mount.nc.pub-ip.psi.net
[38.30.63.55])
        by italy.it.earthlink.net (8.8.5/8.8.5) with SMTP id MAA14529;
        Tue, 8 Apr 1997 12:15:13 -0700 (PDT)
Message-Id: <199704081915.MAA14529 at italy.it.earthlink.net>
Comments: Authenticated sender is <barnhillj at mail.earthlink.net>


In the above case, someone dialed into PSI (ip55.rocky-mount...) and
relayed mail through Earthlink.  I complained to PSInet and they told me
"Sorry, nothing we can do, this is coming from Earthlink."

More recently, though, something much more insidious started to happen:
spammers have started forging Received: lines in the headers to misdirect
attempts at tracing the source of the mail!  Here's one beautiful example
of a spam header I received (my mailhost here was blaze.cs.jhu.edu):


From: mailman at domaol.net
Received: from fs.IConNet.NET
           by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
Sender: mailman at domaol.net
Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
   [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; 
   Wed, 9 Apr 1997 03:54:27 -0400 (EDT) 
Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
   bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
   <friend at public.com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
To: friend at public.com
Message-ID: <37474743565665.JDL9087 at bethere.net>


At first glance, it would appear the above spam originated from
bethere.net.  When I looked more closely, though, I realized that
tracing the Received: lines up from the bottom shows the mail going from
alt2.bethere.net to bethere.net, then suddenly jumping from a dialup in 
PSInet to fs.IConNet.NET.  How did it get from bethere.net to PSInet??

The answer, of course, is that the mail really originated from a PSInet
dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
utter forgery, presuambly added by the spam-mailing software.  In fact,
it's not even a very good forgery, because the supposed IP address of
alt2.bethere.net is invalid (the 2nd octet is 756).

When I [again] wrote to PSInet to complain about spam coming from their
users, I was told I should complain to bethere.net instead -- a domain
that does not even exist!

As a final, even more depressing footnote to this already sad story: a few
days after I saw this new trend of getting spam with forged Received: 
lines, I actually got an advertisement for spamming software that
prominently listed one of its features as being that it could add forged
sendmail-like headers in order to misdirect investigations!  (To add
insult to injury, I received 8 copies of this ad via the wonders of spam.)


-Jeremy


--------------------------------------------------------------------------

NOTE: This message expresses my personal views and should not be taken to
represent the views or policies of the United States Government or NIH.

Jeremy Elson
Division of Computer Research and Technology
National Institutes of Health
Bethesda, MD
Email: jeremy.elson at nih.gov
Phone: (301) 402-0349




More information about the NANOG mailing list