Spammer Bust

• Previous message (by thread): Spammer Bust
• Next message (by thread): BGP blackholing spam [was Spammer Bust]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'll just make this one comment, as I think this whole thread is probably
off-topic, but this tactic has been used for quite some time by spammers.
Even if they aren't using a version with the bogus timestamp, following the
headers down, the forged line becomes obvious when you realise that the psi
host never received it from bothere.net, plus there *is* no bothere.net.

For further information on this topic, I would suggest either the spam-l
mailing list, or send mail to spam-request at zorch.sf-bay.org.  Many of these
issues have long been hashed, and current topics on the spam problem are
more properly discussed on one of those lists.

Steve Mansfield				 steve at nwnet.net
NorthWestNet Network Engineer	         425-649-7467

> On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:
> > More recently, though, something much more insidious started to happen:
> > spammers have started forging Received: lines in the headers to misdirect
> > attempts at tracing the source of the mail!  Here's one beautiful example
> > of a spam header I received (my mailhost here was blaze.cs.jhu.edu):
> > 
> > From: mailman at domaol.net
> > Received: from fs.IConNet.NET
> >            by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
> > Sender: mailman at domaol.net
> > Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
> >    [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; 
> >    Wed, 9 Apr 1997 03:54:27 -0400 (EDT) 
> > Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
> >    bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
> >    <friend at public.com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
>                                                     ^^^^^^^^^^^
> > To: friend at public.com
> > Message-ID: <37474743565665.JDL9087 at bethere.net>
> [ "how did it get there?" ]
> > The answer, of course, is that the mail really originated from a PSInet
> > dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> > utter forgery, presuambly added by the spam-mailing software.  In fact,
> > it's not even a very good forgery, because the supposed IP address of
> > alt2.bethere.net is invalid (the 2nd octet is 756).
> 
> This is a known spamming program; the highlighted mistake would
> probably work _exceptionally_ well in your procmail file.  :-)
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                                                jra at baylink.com
> Member of the Technical Staff             Unsolicited Commercial Emailers Sued
> The Suncoast Freenet      "People propose, science studies, technology
> Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592
> 

• Previous message (by thread): Spammer Bust
• Next message (by thread): BGP blackholing spam [was Spammer Bust]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]