[mdlug] Question on Spam

Sat Jul 7 15:32:59 EDT 2007

On Sat, 7 Jul 2007 14:40:01 -0400 (EDT)
"Carl T. Miller" <millerc at cantonpl.org> wrote:

> 
> Let's look at your headers.  The first Received shows
> that xxxxxxxxxxxx.xxx (this must be your mail server)
> received it from barium.ypsi.provide.net.  We can likely
> trust them, since they are likely your ISP.  The second
> header says it came from 221.133.163.182.  Since we don't
> know who that is and they don't have a hostname associated
> with that address, we can't trust anything else in this
> message to be accurate.  Thus we don't know whether or
> not it did come from abacus21.com.
> 

> It's most likely from a botnet or zombie.  There's big money
> out there for people who can automate the delivery of spam
> while hiding their identities.
> 

OK.  I see what is happening.  For some reason I had overlooked
221.133.163.182.

The main point is that abacus21.com is not a part
of this botnet.  At first I actually thought about
notifying abacus21.com to tell them that their mail server
might be compromised.  But the header information indicates
that it is most likely just a deception.

This pattern is similar in a lot of other spam that I
receive.  For example, here is another header of the
same form:

In this case, even though uni-dortmund.de is a legitimate
university in Germany, the fact that it appears following this dubious
91.15.216.178 address makes the uni-dortmund.de location just another
part of the deception.  Also, the info says uni-dortmund.de only
receives from 91.15.216.178 but doesn't send it anywhere else.

Thanks for clearing this up.

AK