[mdlug] Question on Spam

Aaron Kulkis akulkis3 at HotPOP.com
Wed Sep 5 01:28:10 EDT 2007 

Carl T. Miller wrote:
> A. Kalten wrote:
>> Quite frequently I receive spam that seems to originate from
>> bona fide IP addresses that would not likely be in the spamming
>> business.  For example, just today I noticed a spam message with
>> both the "From:" and "Reply-to:" fields containing abacus21.com,
>> which is a legitimate business located in Buffalo, NY, serving the
>> hospitality industry.  Of course, these fields can be spoofed, but
>> the complete header does show the message as originating at
>> abacus21.com:
> 
> Not really.  The only header that you can believe is the
> first Received header.  If it says it came from a server
> you can trust, you can then believe the next Received
> header.  Keep doing this until you come to the first
> server you don't know or trust.  Notice that means you
> can't trust that the Return-Path, To, From or Reply-To
> headers, unless you trust every Received header.
> 
>> Return-Path: <a-8 at abacus21.com>
>> Received: from barium.ypsi.provide.net (root at localhost)
>> 	by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
>> 	for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
>> X-ClientAddr: 221.133.163.182
>> Received: from [221.133.163.182] ([221.133.163.182])
>> 	by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id
>> l678eWWn013906
>> 	for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
>> Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net;
>> Sat, 7 Jul 2007 08:40:35 -0900
> 
> Let's look at your headers.  The first Received shows
> that xxxxxxxxxxxx.xxx (this must be your mail server)
> received it from barium.ypsi.provide.net.  We can likely
> trust them, since they are likely your ISP.  The second
> header says it came from 221.133.163.182.  Since we don't
> know who that is and they don't have a hostname associated
> with that address, we can't trust anything else in this
> message to be accurate.  Thus we don't know whether or
> not it did come from abacus21.com.
> 
>> The host command indicates that the originating address is definitely
>> abacus21.com:
>>
>> [/]# host abacus21.com
>> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogic.net.
>> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogicmx.net.
>> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogic.net.
>> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogicmx.net.
>> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogic.net.
>> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogicmx.net.
> 
> All the host command shows is what IP addresses abacus21.com
> uses to accept email.  It doesn't tell us a thing about the
> message you received.
> 
>> Whenever I take the time to check, I can find many other examples
>> of this.  Just last week, I spotted joespools.com, a swimming pool
>> installer from Georgia, as another source of spam.  There have been
>> countless other cases.
>>
>> Is this an example of the fabled Botnet or Zombie operation?  That is,
>> could abacus21.com have been hijacked for the purpose of sending spam?
>> Or is the explanation just a simple matter of abacus21.com being
>> a relay?
> 
> It's most likely from a botnet or zombie.  There's big money
> out there for people who can automate the delivery of spam
> while hiding their identities.

Until they get whacked or arrested.

More information about the mdlug mailing list