Spammer Bust

Jay R. Ashworth jra at
Sat Sep 6 03:31:57 UTC 1997

On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:
> More recently, though, something much more insidious started to happen:
> spammers have started forging Received: lines in the headers to misdirect
> attempts at tracing the source of the mail!  Here's one beautiful example
> of a spam header I received (my mailhost here was
> From: mailman at
> Received: from fs.IConNet.NET
>            by with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
> Sender: mailman at
> Received: from (
>    []) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; 
>    Wed, 9 Apr 1997 03:54:27 -0400 (EDT) 
> Received: from by
> (8.8.5/8.6.5) with SMTP id GAA04732 for
>    <friend at>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
> To: friend at
> Message-ID: <37474743565665.JDL9087 at>
[ "how did it get there?" ]
> The answer, of course, is that the mail really originated from a PSInet
> dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> utter forgery, presuambly added by the spam-mailing software.  In fact,
> it's not even a very good forgery, because the supposed IP address of
> is invalid (the 2nd octet is 756).

This is a known spamming program; the highlighted mistake would
probably work _exceptionally_ well in your procmail file.  :-)

-- jra
Jay R. Ashworth                                                jra at
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592

More information about the NANOG mailing list