nanog mailing list archives
Re: Spammer Bust
From: Steve Mansfield <steve () nwnet net>
Date: Fri, 5 Sep 1997 21:21:56 -0700 (PDT)
I'll just make this one comment, as I think this whole thread is probably off-topic, but this tactic has been used for quite some time by spammers. Even if they aren't using a version with the bogus timestamp, following the headers down, the forged line becomes obvious when you realise that the psi host never received it from bothere.net, plus there *is* no bothere.net. For further information on this topic, I would suggest either the spam-l mailing list, or send mail to spam-request () zorch sf-bay org. Many of these issues have long been hashed, and current topics on the spam problem are more properly discussed on one of those lists. Steve Mansfield steve () nwnet net NorthWestNet Network Engineer 425-649-7467
On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:More recently, though, something much more insidious started to happen: spammers have started forging Received: lines in the headers to misdirect attempts at tracing the source of the mail! Here's one beautiful example of a spam header I received (my mailhost here was blaze.cs.jhu.edu): From: mailman () domaol net Received: from fs.IConNet.NET by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT Sender: mailman () domaol net Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; Wed, 9 Apr 1997 03:54:27 -0400 (EDT) Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for <friend () public com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)^^^^^^^^^^^To: friend () public com Message-ID: <37474743565665.JDL9087 () bethere net>[ "how did it get there?" ]The answer, of course, is that the mail really originated from a PSInet dialup, using IConNet.NET as a spam relay; the bottom Received: line is an utter forgery, presuambly added by the spam-mailing software. In fact, it's not even a very good forgery, because the supposed IP address of alt2.bethere.net is invalid (the 2nd octet is 756).This is a known spamming program; the highlighted mistake would probably work _exceptionally_ well in your procmail file. :-) Cheers, -- jra -- Jay R. Ashworth jra () baylink com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
Current thread:
- Re: Spammer Bust, (continued)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Jeremy Elson (Sep 05)
- Re: Spammer Bust Russ Haynal (Sep 05)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Rick Horowitz - Network Administrator (Sep 05)
- Re: userid prefixes Alan Hannan (Sep 06)
- Re: Spammer Bust Jeremy Elson (Sep 05)
- Spam protection for larger networks (Was Re: Spammer Bust) Rod Nayfield (Sep 05)
- Re: Spam protection for larger networks (Was Re: Spammer Bust) Peter Marelas (Sep 06)
- Message not available
- Re: Spammer Bust Jay R. Ashworth (Sep 05)
- Re: Spammer Bust Steve Mansfield (Sep 05)
- BGP blackholing spam [was Spammer Bust] Randy Bush (Sep 05)
- Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Alex.Bligh (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Jim Carroll (Sep 06)
- Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- Re: Spammer Bust Mark E Larson (Sep 05)