[Dshield] Have spammers managed to forge the first received lines?

JD lists at webcrunchers.com
Sun Feb 1 15:01:50 GMT 2004


I've been getting some spam from these IP addresses.   The Whois lookups
fail,  because these addresses are not assigned anywhere,  or the 
database
say "Unassigned".

157.156.162.63,
157.156.163.201,
157.156.163.223,
157.156.165.172,
157.156.165.18,
157.156.166.194,
157.156.166.220,
157.156.167.13,
157.156.169.123,
157.156.169.44,
157.156.176.84,
157.156.178.23,
157.156.179.87,
157.156.180.192,
157.156.180.251,

None of these are pingeable,  and are perhaps "dead" IP addressed,  
which is
quite troubling,  because this indicates either that spammers have 
figured out
how to forge the first received line in the header,  OR have somehow 
managed
to program the upstream routers to "steal" these IP addresses,  and are 
only
activating them during their spam binges.

Is there anyone who can shed some light on this?  Has anyone gotten 
these addresses
in their IDS or mail logs?   If so,   inquiring minds want to know.

John





More information about the list mailing list