North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Spammer Bust
I'll just make this one comment, as I think this whole thread is probably off-topic, but this tactic has been used for quite some time by spammers. Even if they aren't using a version with the bogus timestamp, following the headers down, the forged line becomes obvious when you realise that the psi host never received it from bothere.net, plus there *is* no bothere.net. For further information on this topic, I would suggest either the spam-l mailing list, or send mail to [email protected] Many of these issues have long been hashed, and current topics on the spam problem are more properly discussed on one of those lists. Steve Mansfield [email protected] NorthWestNet Network Engineer 425-649-7467 > On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote: > > More recently, though, something much more insidious started to happen: > > spammers have started forging Received: lines in the headers to misdirect > > attempts at tracing the source of the mail! Here's one beautiful example > > of a spam header I received (my mailhost here was blaze.cs.jhu.edu): > > > > From: [email protected] > > Received: from fs.IConNet.NET > > by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT > > Sender: [email protected] > > Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net > > [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; > > Wed, 9 Apr 1997 03:54:27 -0400 (EDT) > > Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by > > bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for > > <[email protected]>; Wed, 09 Apr 1997 02:52:20 -0600 (EST) > ^^^^^^^^^^^ > > To: [email protected] > > Message-ID: <[email protected]> > [ "how did it get there?" ] > > The answer, of course, is that the mail really originated from a PSInet > > dialup, using IConNet.NET as a spam relay; the bottom Received: line is an > > utter forgery, presuambly added by the spam-mailing software. In fact, > > it's not even a very good forgery, because the supposed IP address of > > alt2.bethere.net is invalid (the 2nd octet is 756). > > This is a known spamming program; the highlighted mistake would > probably work _exceptionally_ well in your procmail file. :-) > > Cheers, > -- jra > -- > Jay R. Ashworth [email protected] > Member of the Technical Staff Unsolicited Commercial Emailers Sued > The Suncoast Freenet "People propose, science studies, technology > Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592 >
|