[mdlug] Question on Spam

A. Kalten akalten at comcast.net
Sat Jul 7 11:06:03 EDT 2007


Hello,

Except for the fact that everything was done on a Linux machine
using Linux tools, this topic does not actually involve Linux.
But since a lot of people on this list are versed in networking,
I thought it might be appropriate to present it here.

Quite frequently I receive spam that seems to originate from
bona fide IP addresses that would not likely be in the spamming
business.  For example, just today I noticed a spam message with
both the "From:" and "Reply-to:" fields containing abacus21.com,
which is a legitimate business located in Buffalo, NY, serving the
hospitality industry.  Of course, these fields can be spoofed, but
the complete header does show the message as originating at
abacus21.com:

Return-Path: <a-8 at abacus21.com>
Received: from barium.ypsi.provide.net (root at localhost)
	by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
	for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
X-ClientAddr: 221.133.163.182
Received: from [221.133.163.182] ([221.133.163.182])
	by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id l678eWWn013906
	for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net; Sat, 7 Jul 2007 08:40:35 -0900

(The purpose of the "xxxxxxxxxx.xxx" is to obscure the actual receiving
address, which is not important for this discussion.)

The host command indicates that the originating address is definitely
abacus21.com:

[/]# host abacus21.com
abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogic.net.
abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogicmx.net.
abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogic.net.
abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogicmx.net.
abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogic.net.
abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogicmx.net.

Whenever I take the time to check, I can find many other examples
of this.  Just last week, I spotted joespools.com, a swimming pool
installer from Georgia, as another source of spam.  There have been
countless other cases.

Is this an example of the fabled Botnet or Zombie operation?  That is,
could abacus21.com have been hijacked for the purpose of sending spam?
Or is the explanation just a simple matter of abacus21.com being
a relay?

AK




More information about the mdlug mailing list