[mdlug] Question on Spam

Carl T. Miller millerc at cantonpl.org
Sat Jul 7 14:40:01 EDT 2007 

A. Kalten wrote:
> Quite frequently I receive spam that seems to originate from
> bona fide IP addresses that would not likely be in the spamming
> business.  For example, just today I noticed a spam message with
> both the "From:" and "Reply-to:" fields containing abacus21.com,
> which is a legitimate business located in Buffalo, NY, serving the
> hospitality industry.  Of course, these fields can be spoofed, but
> the complete header does show the message as originating at
> abacus21.com:

Not really.  The only header that you can believe is the
first Received header.  If it says it came from a server
you can trust, you can then believe the next Received
header.  Keep doing this until you come to the first
server you don't know or trust.  Notice that means you
can't trust that the Return-Path, To, From or Reply-To
headers, unless you trust every Received header.

> Return-Path: <a-8 at abacus21.com>
> Received: from barium.ypsi.provide.net (root at localhost)
> 	by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
> 	for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
> X-ClientAddr: 221.133.163.182
> Received: from [221.133.163.182] ([221.133.163.182])
> 	by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id
> l678eWWn013906
> 	for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
> Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net;
> Sat, 7 Jul 2007 08:40:35 -0900

Let's look at your headers.  The first Received shows
that xxxxxxxxxxxx.xxx (this must be your mail server)
received it from barium.ypsi.provide.net.  We can likely
trust them, since they are likely your ISP.  The second
header says it came from 221.133.163.182.  Since we don't
know who that is and they don't have a hostname associated
with that address, we can't trust anything else in this
message to be accurate.  Thus we don't know whether or
not it did come from abacus21.com.

> The host command indicates that the originating address is definitely
> abacus21.com:
>
> [/]# host abacus21.com
> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogic.net.
> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogicmx.net.
> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogic.net.
> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogicmx.net.
> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogic.net.
> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogicmx.net.

All the host command shows is what IP addresses abacus21.com
uses to accept email.  It doesn't tell us a thing about the
message you received.

> Whenever I take the time to check, I can find many other examples
> of this.  Just last week, I spotted joespools.com, a swimming pool
> installer from Georgia, as another source of spam.  There have been
> countless other cases.
>
> Is this an example of the fabled Botnet or Zombie operation?  That is,
> could abacus21.com have been hijacked for the purpose of sending spam?
> Or is the explanation just a simple matter of abacus21.com being
> a relay?

It's most likely from a botnet or zombie.  There's big money
out there for people who can automate the delivery of spam
while hiding their identities.

c

More information about the mdlug mailing list