|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Spammer Bust
On Fri, 5 Sep 1997, Phil Howard wrote: > One copy of this same spam (but who knows if it is or is not really the > same spammer) I got appeared to be from PSI. It came from a PSI connection > and used Earthlink as a mail hop. I complained to [email protected] and they > sent back a reply claiming the mail came from Earthlink. Well, literally > I did get it from Earthlink, but it originated from PSI's IP address, > unless Earthlink faked the IP (but then why would they leave their own > address on it). > > That's why I tend to believe a lot of ISPs ... and more often the BIGGER > ones than the smaller ones ... don't know what is going on. I had two very similar incidents of PSI not knowing what was going on. I've gotten a lot of spam that originated from PSI dialup users but using Earthlink as a mail relay; for example, this one: Return-Path: [email protected] Return-Path: <[email protected]> Received: from hops.cs.jhu.edu [this is where I received the mail] by blaze.cs.jhu.edu with SMTP; Wed, 9 Apr 1997 04:31:17 GMT Sender: [email protected] Received: from italy.it.earthlink.net (italy-c.it.earthlink.net [204.250.46.18]) by hops.cs.jhu.edu (8.6.12/8.6.9) with ESMTP id AAA05428 for <[email protected]>; Wed, 9 Apr 1997 00:31:15 -0400 Received: from LOCALNAME (ip55.rocky-mount.nc.pub-ip.psi.net [38.30.63.55]) by italy.it.earthlink.net (8.8.5/8.8.5) with SMTP id MAA14529; Tue, 8 Apr 1997 12:15:13 -0700 (PDT) Message-Id: <[email protected]> Comments: Authenticated sender is <[email protected]> In the above case, someone dialed into PSI (ip55.rocky-mount...) and relayed mail through Earthlink. I complained to PSInet and they told me "Sorry, nothing we can do, this is coming from Earthlink." More recently, though, something much more insidious started to happen: spammers have started forging Received: lines in the headers to misdirect attempts at tracing the source of the mail! Here's one beautiful example of a spam header I received (my mailhost here was blaze.cs.jhu.edu): From: [email protected] Received: from fs.IConNet.NET by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT Sender: [email protected] Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; Wed, 9 Apr 1997 03:54:27 -0400 (EDT) Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for <[email protected]>; Wed, 09 Apr 1997 02:52:20 -0600 (EST) To: [email protected] Message-ID: <[email protected]> At first glance, it would appear the above spam originated from bethere.net. When I looked more closely, though, I realized that tracing the Received: lines up from the bottom shows the mail going from alt2.bethere.net to bethere.net, then suddenly jumping from a dialup in PSInet to fs.IConNet.NET. How did it get from bethere.net to PSInet?? The answer, of course, is that the mail really originated from a PSInet dialup, using IConNet.NET as a spam relay; the bottom Received: line is an utter forgery, presuambly added by the spam-mailing software. In fact, it's not even a very good forgery, because the supposed IP address of alt2.bethere.net is invalid (the 2nd octet is 756). When I [again] wrote to PSInet to complain about spam coming from their users, I was told I should complain to bethere.net instead -- a domain that does not even exist! As a final, even more depressing footnote to this already sad story: a few days after I saw this new trend of getting spam with forged Received: lines, I actually got an advertisement for spamming software that prominently listed one of its features as being that it could add forged sendmail-like headers in order to misdirect investigations! (To add insult to injury, I received 8 copies of this ad via the wonders of spam.) -Jeremy -------------------------------------------------------------------------- NOTE: This message expresses my personal views and should not be taken to represent the views or policies of the United States Government or NIH. Jeremy Elson Division of Computer Research and Technology National Institutes of Health Bethesda, MD Email: [email protected] Phone: (301) 402-0349
|