[Dshield] This is a bit scary
hart401 at TQMcube.com
Wed Jul 30 20:52:17 GMT 2003
On Wed, 2003-07-30 at 16:02, John Sage wrote:
> Remember that the "To: " line is utterly untrustworthy: it can be
> spoofed by the spammer, as can most any other line that is *not*
> inserted by the MTA of a host somewhere in transit between origin to
> Ditto: "Cc: ", "Bcc: ", "From: " etc etc etc...
> In fact, I'd say that it's more the rule to see a bogus "To: " line
> than an accurate one :-/
I know but that's not the issue. Something is happening to literally
rewrite the "to" line between between EHLO and Disconnect.
The spammer is sending mail to dupape at bellatlantic.net (Verizon)
Verizon relays to dupape at tqmcube.com
The mail's "to" line reads "everyone at tqmcube.com."
That requires one of three conditions:
1. It's coincidental.
2. The spammer knows that the mail is destined for TQMcube.com. If
that's the case then why bother to send it via Verizon in the first
3. The spammer's MTA has a means of altering the "To:" line to coincide
with the recipient machine's actual domain.
Assuming option three, that means that the spammer can alter a document
that is already on my machine.
More information about the list