Spammer Bust

Jeremy Elson jelson at
Fri Sep 5 20:35:17 UTC 1997

On Fri, 5 Sep 1997, Phil Howard wrote:
> One copy of this same spam (but who knows if it is or is not really the
> same spammer) I got appeared to be from PSI.  It came from a PSI connection
> and used Earthlink as a mail hop.  I complained to abuse at and they
> sent back a reply claiming the mail came from Earthlink.  Well, literally
> I did get it from Earthlink, but it originated from PSI's IP address,
> unless Earthlink faked the IP (but then why would they leave their own
> address on it).
> That's why I tend to believe a lot of ISPs ... and more often the BIGGER
> ones than the smaller ones ... don't know what is going on.

I had two very similar incidents of PSI not knowing what was going on. 
I've gotten a lot of spam that originated from PSI dialup users but using
Earthlink as a mail relay; for example, this one:

Return-Path: at 
Return-Path: < at>
Received: from  [this is where I received the mail]
           by with SMTP; Wed, 9 Apr 1997 04:31:17 GMT
Sender: at
Received: from (
[]) by (8.6.12/8.6.9) with ESMTP id AAA05428 for
<jelson at>; Wed, 9 Apr 1997 00:31:15 -0400
Received: from LOCALNAME (
        by (8.8.5/8.8.5) with SMTP id MAA14529;
        Tue, 8 Apr 1997 12:15:13 -0700 (PDT)
Message-Id: <199704081915.MAA14529 at>
Comments: Authenticated sender is <barnhillj at>

In the above case, someone dialed into PSI (ip55.rocky-mount...) and
relayed mail through Earthlink.  I complained to PSInet and they told me
"Sorry, nothing we can do, this is coming from Earthlink."

More recently, though, something much more insidious started to happen:
spammers have started forging Received: lines in the headers to misdirect
attempts at tracing the source of the mail!  Here's one beautiful example
of a spam header I received (my mailhost here was

From: mailman at
Received: from fs.IConNet.NET
           by with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
Sender: mailman at
Received: from (
   []) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; 
   Wed, 9 Apr 1997 03:54:27 -0400 (EDT) 
Received: from by (8.8.5/8.6.5) with SMTP id GAA04732 for
   <friend at>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
To: friend at
Message-ID: <37474743565665.JDL9087 at>

At first glance, it would appear the above spam originated from  When I looked more closely, though, I realized that
tracing the Received: lines up from the bottom shows the mail going from to, then suddenly jumping from a dialup in 
PSInet to fs.IConNet.NET.  How did it get from to PSInet??

The answer, of course, is that the mail really originated from a PSInet
dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
utter forgery, presuambly added by the spam-mailing software.  In fact,
it's not even a very good forgery, because the supposed IP address of is invalid (the 2nd octet is 756).

When I [again] wrote to PSInet to complain about spam coming from their
users, I was told I should complain to instead -- a domain
that does not even exist!

As a final, even more depressing footnote to this already sad story: a few
days after I saw this new trend of getting spam with forged Received: 
lines, I actually got an advertisement for spamming software that
prominently listed one of its features as being that it could add forged
sendmail-like headers in order to misdirect investigations!  (To add
insult to injury, I received 8 copies of this ad via the wonders of spam.)



NOTE: This message expresses my personal views and should not be taken to
represent the views or policies of the United States Government or NIH.

Jeremy Elson
Division of Computer Research and Technology
National Institutes of Health
Bethesda, MD
Email: jeremy.elson at
Phone: (301) 402-0349

More information about the NANOG mailing list