[12153] in North American Network Operators' Group
Re: Spammer Bust
daemon@ATHENA.MIT.EDU (Steve Mansfield)
Sat Sep 6 00:29:30 1997
From: Steve Mansfield <steve@nwnet.net>
To: jra@scfn.thpl.lib.fl.us (Jay R. Ashworth)
Date: Fri, 5 Sep 1997 21:21:56 -0700 (PDT)
Cc: nanog@merit.edu
Reply-To: steve@nwnet.net
In-Reply-To: <19970905233157.04913@scfn.thpl.lib.fl.us> from "Jay R. Ashworth" at Sep 5, 97 11:31:57 pm
I'll just make this one comment, as I think this whole thread is probably
off-topic, but this tactic has been used for quite some time by spammers.
Even if they aren't using a version with the bogus timestamp, following the
headers down, the forged line becomes obvious when you realise that the psi
host never received it from bothere.net, plus there *is* no bothere.net.
For further information on this topic, I would suggest either the spam-l
mailing list, or send mail to spam-request@zorch.sf-bay.org. Many of these
issues have long been hashed, and current topics on the spam problem are
more properly discussed on one of those lists.
Steve Mansfield steve@nwnet.net
NorthWestNet Network Engineer 425-649-7467
> On Fri, Sep 05, 1997 at 04:35:17PM -0400, Jeremy Elson wrote:
> > More recently, though, something much more insidious started to happen:
> > spammers have started forging Received: lines in the headers to misdirect
> > attempts at tracing the source of the mail! Here's one beautiful example
> > of a spam header I received (my mailhost here was blaze.cs.jhu.edu):
> >
> > From: mailman@domaol.net
> > Received: from fs.IConNet.NET
> > by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
> > Sender: mailman@domaol.net
> > Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
> > [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207;
> > Wed, 9 Apr 1997 03:54:27 -0400 (EDT)
> > Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
> > bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
> > <friend@public.com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
> ^^^^^^^^^^^
> > To: friend@public.com
> > Message-ID: <37474743565665.JDL9087@bethere.net>
> [ "how did it get there?" ]
> > The answer, of course, is that the mail really originated from a PSInet
> > dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> > utter forgery, presuambly added by the spam-mailing software. In fact,
> > it's not even a very good forgery, because the supposed IP address of
> > alt2.bethere.net is invalid (the 2nd octet is 756).
>
> This is a known spamming program; the highlighted mistake would
> probably work _exceptionally_ well in your procmail file. :-)
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth jra@baylink.com
> Member of the Technical Staff Unsolicited Commercial Emailers Sued
> The Suncoast Freenet "People propose, science studies, technology
> Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
>
