[mdlug] Question on Spam
Rich Clark <rrclark@rrclark.net>
rrclark at rrclark.net
Mon Jul 23 17:21:47 EDT 2007
On Sat, 7 Jul 2007, A. Kalten wrote:
> Hello,
>
> Except for the fact that everything was done on a Linux machine
> using Linux tools, this topic does not actually involve Linux.
> But since a lot of people on this list are versed in networking,
> I thought it might be appropriate to present it here.
>
> Quite frequently I receive spam that seems to originate from
> bona fide IP addresses that would not likely be in the spamming
> business. For example, just today I noticed a spam message with
> both the "From:" and "Reply-to:" fields containing abacus21.com,
> which is a legitimate business located in Buffalo, NY, serving the
> hospitality industry. Of course, these fields can be spoofed, but
> the complete header does show the message as originating at
> abacus21.com:
Sorry this reply is so late, just reviewing old, unread mail.
What you're seeing is a header forgery. I'll point them out for ya.
> Return-Path: <a-8 at abacus21.com>
The below header is the header generated by your internal mail system on
moving it from the inbound queue to your local mailbox.
> Received: from barium.ypsi.provide.net (root at localhost)
> by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
> for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
Next header, I'm not certain what's generating this, but it's pointing at
the likely originator.
> X-ClientAddr: 221.133.163.182
This header below is barium.ypsi.provide.net receiving the message from
221.133.163.182.
> Received: from [221.133.163.182] ([221.133.163.182])
> by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id l678eWWn013906
> for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
The line below is an outright forgery, meant to foul up things for
automated spam reporting engines, such as spamcop.net and amateur mail
header readers.
> Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net; Sat, 7 Jul 2007 08:40:35 -0900
>
> Or is the explanation just a simple matter of abacus21.com being
> a relay?
None of the above, actually. Just another botted Korean windows
installation.
Many people use Spamhaus's Zen blocklist in their mail system. Had you
been using it, you wouldn't have seen the original email.
More information about the mdlug
mailing list