Christmas spam from RESERVED IANA adressblock ?

William Herrin herrin-nanog at
Thu Dec 25 16:47:49 UTC 2008

On Thu, Dec 25, 2008 at 1:33 AM, James Hess <mysidia at> wrote:
> RFC1918 addresses should also never be found
> in mail headers of any messages being exchanged over the internet..
> RFC1918  says on page 4:


If you want to be dogmatic about it, the must and must nots in
RFC2821, 3.8.2 supersede the "should" in RFC 1918. The lines with the
1918 addresses must remain.

Pragmatically speaking, when you want to trace a spam, you have to
ignore both irrelevant information and intentionally false
information. For example, I've seen spams which contain Received lines
alleging receipt from a completely innocent network. You have to pay
close attention because the only clue that it's a lie is that the
Received line doesn't connect with any later ones. The system which
allegedly accepted the message doesn't appear in another received line
as having sent it to the next server in the chain.

As for the incident spam, there's probably an abusable web form on that some remote spammer has discovered and is using to
relay spam. When you see a message which appears to have originated
from a generic web server, that's often what's going on. This one has
that feel to it. Were it properly programmed, the form would have
appended a Received line of its own indicating the source of the http
request. Then again, if it was properly programmed it wouldn't be
useful for relaying spam in the first place.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list