[Dshield] Have spammers managed to forge the first received lines?

David Hart DavidHart at TQMcube.com
Sun Feb 1 15:15:11 GMT 2004


On Sun, 2004-02-01 at 10:01, JD wrote:
> I've been getting some spam from these IP addresses.   The Whois lookups
> fail,  because these addresses are not assigned anywhere,  or the 
> database
> say "Unassigned".

Could you post a header?
> 
> 157.156.162.63,
> 157.156.163.201,
> 157.156.163.223,
> 157.156.165.172,
> 157.156.165.18,
> 157.156.166.194,
> 157.156.166.220,
> 157.156.167.13,
> 157.156.169.123,
> 157.156.169.44,
> 157.156.176.84,
> 157.156.178.23,
> 157.156.179.87,
> 157.156.180.192,
> 157.156.180.251,
> 
> None of these are pingeable,  and are perhaps "dead" IP addressed,  
> which is
> quite troubling,  because this indicates either that spammers have 
> figured out
> how to forge the first received line in the header,  OR have somehow 
> managed
> to program the upstream routers to "steal" these IP addresses,  and are 
> only
> activating them during their spam binges.
> 
> Is there anyone who can shed some light on this?  Has anyone gotten 
> these addresses
> in their IDS or mail logs?   If so,   inquiring minds want to know.
> 
> John
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
                               ---------
            Quality Management - A Commitment to Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040201/4921d9e0/attachment.bin


More information about the list mailing list