nanog mailing list archives

Re: Spammer Bust

From: Steve Mansfield <steve () nwnet net>
Date: Fri, 5 Sep 1997 21:21:56 -0700 (PDT)

I'll just make this one comment, as I think this whole thread is probably
off-topic, but this tactic has been used for quite some time by spammers.
Even if they aren't using a version with the bogus timestamp, following the
headers down, the forged line becomes obvious when you realise that the psi
host never received it from bothere.net, plus there *is* no bothere.net.

For further information on this topic, I would suggest either the spam-l
mailing list, or send mail to spam-request () zorch sf-bay org.  Many of these
issues have long been hashed, and current topics on the spam problem are
more properly discussed on one of those lists.

Steve Mansfield                          steve () nwnet net
NorthWestNet Network Engineer            425-649-7467

On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:

More recently, though, something much more insidious started to happen:
spammers have started forging Received: lines in the headers to misdirect
attempts at tracing the source of the mail!  Here's one beautiful example
of a spam header I received (my mailhost here was blaze.cs.jhu.edu):

From: mailman () domaol net
Received: from fs.IConNet.NET
           by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
Sender: mailman () domaol net
Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
   [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207; 
   Wed, 9 Apr 1997 03:54:27 -0400 (EDT) 
Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
   bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
   <friend () public com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)

                                                    ^^^^^^^^^^^

To: friend () public com
Message-ID: <37474743565665.JDL9087 () bethere net>

[ "how did it get there?" ]

The answer, of course, is that the mail really originated from a PSInet
dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
utter forgery, presuambly added by the spam-mailing software.  In fact,
it's not even a very good forgery, because the supposed IP address of
alt2.bethere.net is invalid (the 2nd octet is 756).


This is a known spamming program; the highlighted mistake would
probably work _exceptionally_ well in your procmail file.  :-)

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592

Current thread:

Re: Spammer Bust, (continued)
- Re: Spammer Bust Phil Howard (Sep 05)
- Re: Spammer Bust Phil Howard (Sep 05)
  - Re: Spammer Bust Jeremy Elson (Sep 05)
    - Re: Spammer Bust Russ Haynal (Sep 05)
    - Re: Spammer Bust Phil Howard (Sep 05)
    - Re: Spammer Bust Rick Horowitz - Network Administrator (Sep 05)
    - Re: userid prefixes Alan Hannan (Sep 06)
    - Spam protection for larger networks (Was Re: Spammer Bust) Rod Nayfield (Sep 05)
    - Re: Spam protection for larger networks (Was Re: Spammer Bust) Peter Marelas (Sep 06)
    - Message not available
    - Re: Spammer Bust Jay R. Ashworth (Sep 05)
    - Re: Spammer Bust Steve Mansfield (Sep 05)
    - BGP blackholing spam [was Spammer Bust] Randy Bush (Sep 05)
    - Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
    - Re: BGP blackholing spam [was Spammer Bust] Alex.Bligh (Sep 06)
    - Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
    - Re: BGP blackholing spam [was Spammer Bust] Jim Carroll (Sep 06)
    - Re: BGP blackholing spam [was Spammer Bust] Paul A Vixie (Sep 06)
- Re: Spammer Bust Sean M. Doran (Sep 05)
  - Re: Spammer Bust Mark E Larson (Sep 05)
- Re: Spammer Bust Sean M. Doran (Sep 05)
- RE: Spammer Bust Rich Haddock (Sep 05)

(Thread continues...)