RE: Spam question

["David Gillett" <gillettdavid () fhda edu>]

  In fact, spammers try this all the time.  Most of them don't
bother to do it convincingly....

  But note that the headers of the message I receive are not JUST
those that the sender has provided.  I also have the Received: 
header that was inserted by MY mail server, showing where it got
the message from.
  I find that http://spamcop.net does a great job of spotting most
forgeries when backtracking through Received: headers.

David Gillett


> -----Original Message-----
> From: Tomas Wolf [mailto:tomas () skip cz]
> Sent: September 1, 2003 04:12
> To: security-basics () securityfocus com
> Subject: Spam question
>
>
> Hello,
>
>  I'm reading some sources of spam I've got and I have a question that 
> has crossed my mind... Is it possible to malform e-mail's header?
>
> What I have in mind is that some of the headers come with different 
> header composition in which up to two *Received:* records are from 
> registered range... And also some of these e-mails have 
> *Return-Path:* 
> inserted on the bottom of the header, following *Received: from 
> bla.bla.com [xxx.xxx.xxx.xxx] by bla.bla.com (MAILSERVER NAME 
> vX) with 
> PROTOCOL, DATE*... While the original Return-path: with an e-mail 
> address, as it supposed to, is one of the top ones...
>
>  I have a theory about this... Could there be a program that connects 
> directly to the end-user SMTP server by telnet and makes sends to a 
> localhost? I know that would be a lot of traffic and time 
> spent on this, 
> but isn't this another possibility? I remember when I was 
> playing with 
> SMTP server at home, I was capable of sending any kind of e-mail to 
> anybody@localhost... So then I've tried it on several "real" SMTP 
> servers where I knew my friends had an account and it worked 
> as well... 
> Which means if I know the user and the end server, I'm able to send 
> pretty much anything and by forming the commands well, it is 
> possible to 
> try to malform the header so one of the records might trick somebody 
> into believing, that it is one of the SMTP relay hops.
>
> Thanks for your input...
> Tomas
>
>
>
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September 
> 29-30 (Training), 
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> technical IT security event.  Modeled after the famous Black 
> Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and 
> sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration 
> ends September 6.Visit us: www.blackhat.com
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------