nanog mailing list archives
Re: Spammer Bust
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
Date: Fri, 5 Sep 1997 23:31:57 -0400
On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:
More recently, though, something much more insidious started to happen: spammers have started forging Received: lines in the headers to misdirect attempts at tracing the source of the mail! Here's one beautiful example of a spam header I received (my mailhost here was blaze.cs.jhu.edu): From: mailman () domaol net Received: from fs.IConNet.NET by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT Sender: mailman () domaol net Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; Wed, 9 Apr 1997 03:54:27 -0400 (EDT) Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for <friend () public com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
^^^^^^^^^^^
To: friend () public com Message-ID: <37474743565665.JDL9087 () bethere net>
[ "how did it get there?" ]
The answer, of course, is that the mail really originated from a PSInet dialup, using IConNet.NET as a spam relay; the bottom Received: line is an utter forgery, presuambly added by the spam-mailing software. In fact, it's not even a very good forgery, because the supposed IP address of alt2.bethere.net is invalid (the 2nd octet is 756).
This is a known spamming program; the highlighted mistake would probably work _exceptionally_ well in your procmail file. :-) Cheers, -- jra -- Jay R. Ashworth jra () baylink com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
Current thread:
- Spammer Bust Mark E Larson (Sep 05)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Jeremy Elson (Sep 05)
- Re: Spammer Bust Russ Haynal (Sep 05)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Rick Horowitz - Network Administrator (Sep 05)
- Re: userid prefixes Alan Hannan (Sep 06)
- Re: Spammer Bust Jeremy Elson (Sep 05)
- Spam protection for larger networks (Was Re: Spammer Bust) Rod Nayfield (Sep 05)
- Re: Spam protection for larger networks (Was Re: Spammer Bust) Peter Marelas (Sep 06)
- Message not available
- Re: Spammer Bust Jay R. Ashworth (Sep 05)
- Re: Spammer Bust Steve Mansfield (Sep 05)
- BGP blackholing spam [was Spammer Bust] Randy Bush (Sep 05)
- Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Alex.Bligh (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Jim Carroll (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- <Possible follow-ups>
- Re: Spammer Bust Sean M. Doran (Sep 05)
- Re: Spammer Bust Mark E Larson (Sep 05)
- Re: Spammer Bust Sean M. Doran (Sep 05)