[Dshield] Have spammers managed to forge the first received lines?

JD lists at webcrunchers.com
Sun Feb 1 21:50:03 GMT 2004


On Feb 1, 2004, at 7:15 AM, David Hart wrote:

> On Sun, 2004-02-01 at 10:01, JD wrote:
>> I've been getting some spam from these IP addresses.   The Whois  
>> lookups
>> fail,  because these addresses are not assigned anywhere,  or the
>> database
>> say "Unassigned".
>
> Could you post a header?

Sure...

------  The entire message - it is small ------
 From Brettenqi at shoppersville.net Fri Jan 16 06:16:46 2004
Return-Path: <Brettenqi at shoppersville.net>
Received: from uvttgk (smtpout-2-63.shoppersville.net [157.156.162.63])
	by mail.host.net (8.12.9/8.12.9) with SMTP id h4K4jEI5007488
	for <crunch at host.net>; Tue, 20 May 2003 00:45:17 -0400
From: Odilia <Brettenqi at shoppersville.net>
To: <crunch at host.net>
Subject: Discount Viagra
Date: Mon, 19 May 2003 23:51:54 -0400
Mime-Version: 1.0
Content-Type: text/html
Message-Id: <ju3fjrBr071Afi1 at shoppersville.net>
X-UIDL: &Up!!0-1!!%>1"!3c1"!
Status: U

<html>
<body>
<br>
<center>
<img  
src="http://ju3fjrzbr071zafzi1.shoppersville.net/image.asp? 
cmpid=vigrex-100.gif&dvn=J2_mJ)x)693wm13" width="0" height="0">
<br>
<a  
href="http://ju3fjrzbr071zafzi1.shoppersville.net/ctrack.asp? 
cmpid=vigrex-100&cvn=,An8,$i$s=308F3">
<img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/vigrex-100.gif"  
border="0"></a>
<br>
<br>
<a href="http://ju3fjrzbr071zafzi1.shoppersville.net/remove/remove.asp">
<img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/unsub.gif"  
border="0"></a>
</center>
</body>
</html>

-------- here is one more --------

 From Ailenece at online-shop-exchange.com Fri Jan 16 06:18:17 2004
Return-Path: <Ailenece at online-shop-exchange.com>
Received: from hdcons (smtpout-3-201.online-shop-exchange.com  
[157.156.163.201])
	by mail.host.net (8.12.9/8.12.9) with SMTP id h4Q1nNvR002867
	for <crunch at host.net>; Sun, 25 May 2003 21:49:30 -0400
From: Zora <Ailenece at online-shop-exchange.com>
To: <crunch at host.net>
Subject: Try this, it might help
Date: Sun, 25 May 2003 20:55:39 -0400
Mime-Version: 1.0
Content-Type: text/html
Message-Id: <ju3fjrBr071Afi1 at online-shop-exchange.com>
X-UIDL: a3J!!;a(!!b:H"!'#d"!
Status: U

<html>
<body>
<br>
<center>
<img  
src="http://ju3fjrzbr071zafzi1.online-shop-exchange.com/image.asp? 
cmpid=vigrex-106.gif&dvn=J2_mJ)x)693wm13" width="0" height="0">
<br>
<a  
href="http://ju3fjrzbr071zafzi1.online-shop-exchange.com/ctrack.asp? 
cmpid=vigrex-106&cvn=,An8,$i$s=308F3">
<img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/vigrex-106.gif"  
border="0"></a>
<br>
<br>
<a  
href="http://ju3fjrzbr071zafzi1.online-shop-exchange.com/remove/ 
remove.asp">
<img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/unsub.gif"  
border="0"></a>
</center>
</body>
</html>

notice the similarities?

what do you think?   Spoof?   Or Hijack?

$ whois 157.156.163.201

No match found for 157.156.163.201.

# ARIN WHOIS database, last updated 2004-01-31 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

No other registry has it.  I've heard it was possible to "assign" your  
own
IP address if you had access to the routers.

JD




More information about the list mailing list