[Dshield] question about tracking spam

Ed Truitt ed.truitt at etee2k.net
Tue Nov 26 14:10:02 GMT 2002


My suspicion is that it is a "forged" Received: header.  In fact, the only
"Received:" header I would trust is the first one (though the second one may
be legit, too).  All the others, from what I can tell, are faked, put in
there to help the spammer avoid detection.

FYI, the IP address in the first Received: header (which claims to be
"comcast.net"), appears (from traceroute) to be an IP assigned to
cybertrails.com, an ISP based out of Phoenix AZ.  It may be running an open
HTTP or SMTP relay.  Also, notice the time stamp on that line - it is
showing -0700 (MST), rather than -0500 (EST), which you folks should be
using (unless you have a site out West.)

HTH.
Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Cruz, Dan" <Dan_Cruz at eu.odedodea.edu>
To: "Dshield (E-mail)" <list at dshield.org>
Sent: Tuesday, November 26, 2002 3:17 AM
Subject: [Dshield] question about tracking spam


> First and foremost, I want to say what a help watching this list has been.
> People here are extremely helpful with dispensing knowledge and
assistance.
> [OK, now that I am done kissing up :>)  ]
>
> I could use some assistance. The following was brought to my attention
> because one of our IP addresses (xxx.xxx.186.79 in red below) was in the
> header information. The problem is, although the block is within our
range,
> it has never been used (to the best of our knowledge), and has been our
for
> a few years. We have no networks using the affected IP blocks on-line. In
> trying to figure out the received path I get totally lost. I am trying to
> figure out how our IP address got into the mix, thus resulting in an email
> to us (although NOT to abuse at eu.odedodea.edu, since it is nonexistent).
>
> In other words I am going around in circles here!!!  Any suggestions or
> comments?
>
> Dan




More information about the list mailing list