[12152] in North American Network Operators' Group
Re: Spammer Bust
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Fri Sep 5 23:41:17 1997
Date: Fri, 5 Sep 1997 23:31:57 -0400
From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
To: Jeremy Elson <jelson@helix.nih.gov>
Cc: Phil Howard <phil@charon.milepost.com>, Mark E Larson <markl@rust.net>,
nanog@merit.edu
In-Reply-To: <Pine.SGI.3.96.970905161243.4170D-100000@helix.nih.gov>; from Jeremy Elson <jelson@helix.nih.gov> on Fri, Sep 05, 1997 at 04:35:17PM -0400
On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:
> More recently, though, something much more insidious started to happen:
> spammers have started forging Received: lines in the headers to misdirect
> attempts at tracing the source of the mail! Here's one beautiful example
> of a spam header I received (my mailhost here was blaze.cs.jhu.edu):
>
> From: mailman@domaol.net
> Received: from fs.IConNet.NET
> by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
> Sender: mailman@domaol.net
> Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
> [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207;
> Wed, 9 Apr 1997 03:54:27 -0400 (EDT)
> Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
> bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
> <friend@public.com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
^^^^^^^^^^^
> To: friend@public.com
> Message-ID: <37474743565665.JDL9087@bethere.net>
[ "how did it get there?" ]
> The answer, of course, is that the mail really originated from a PSInet
> dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> utter forgery, presuambly added by the spam-mailing software. In fact,
> it's not even a very good forgery, because the supposed IP address of
> alt2.bethere.net is invalid (the 2nd octet is 756).
This is a known spamming program; the highlighted mistake would
probably work _exceptionally_ well in your procmail file. :-)
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "People propose, science studies, technology
Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
