[Dshield] Have spammers managed to forge the first received lines?

Doug White doug at clickdoug.com
Sun Feb 1 22:34:08 GMT 2004


 please standby. Looking up many dnsbl services now ...
157.156.162.63 YES LISTED BY sorbs.dnsbl.net.au  --> see http://dnsbl.sorbs.net/
157.156.162.63 YES LISTED BY dnsbl.njabl.org  --> see http://dnsbl.njabl.org/
157.156.162.63 YES LISTED BY t1.dnsbl.net.au  --> see http://dnsbl.net.au/t1/

BAD .... Listed on : 3 dnsbl services

======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!


----- Original Message ----- 
From: "JD" <lists at webcrunchers.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Sunday, February 01, 2004 3:50 PM
Subject: Re: [Dshield] Have spammers managed to forge the first received lines?


:
: On Feb 1, 2004, at 7:15 AM, David Hart wrote:
:
: > On Sun, 2004-02-01 at 10:01, JD wrote:
: >> I've been getting some spam from these IP addresses.   The Whois
: >> lookups
: >> fail,  because these addresses are not assigned anywhere,  or the
: >> database
: >> say "Unassigned".
: >
: > Could you post a header?
:
: Sure...
:
: ------  The entire message - it is small ------
:  From Brettenqi at shoppersville.net Fri Jan 16 06:16:46 2004
: Return-Path: <Brettenqi at shoppersville.net>
: Received: from uvttgk (smtpout-2-63.shoppersville.net [157.156.162.63])
: by mail.host.net (8.12.9/8.12.9) with SMTP id h4K4jEI5007488
: for <crunch at host.net>; Tue, 20 May 2003 00:45:17 -0400
: From: Odilia <Brettenqi at shoppersville.net>
: To: <crunch at host.net>
: Subject: Discount Viagra
: Date: Mon, 19 May 2003 23:51:54 -0400
: Mime-Version: 1.0
: Content-Type: text/html
: Message-Id: <ju3fjrBr071Afi1 at shoppersville.net>
: X-UIDL: &Up!!0-1!!%>1"!3c1"!
: Status: U
:
: <html>
: <body>
: <br>
: <center>
: <img
: src="http://ju3fjrzbr071zafzi1.shoppersville.net/image.asp?
: cmpid=vigrex-100.gif&dvn=J2_mJ)x)693wm13" width="0" height="0">
: <br>
: <a
: href="http://ju3fjrzbr071zafzi1.shoppersville.net/ctrack.asp?
: cmpid=vigrex-100&cvn=,An8,$i$s=308F3">
: <img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/vigrex-100.gif"
: border="0"></a>
: <br>
: <br>
: <a href="http://ju3fjrzbr071zafzi1.shoppersville.net/remove/remove.asp">
: <img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/unsub.gif"
: border="0"></a>
: </center>
: </body>
: </html>
:
: -------- here is one more --------
:
:  From Ailenece at online-shop-exchange.com Fri Jan 16 06:18:17 2004
: Return-Path: <Ailenece at online-shop-exchange.com>
: Received: from hdcons (smtpout-3-201.online-shop-exchange.com
: [157.156.163.201])
: by mail.host.net (8.12.9/8.12.9) with SMTP id h4Q1nNvR002867
: for <crunch at host.net>; Sun, 25 May 2003 21:49:30 -0400
: From: Zora <Ailenece at online-shop-exchange.com>
: To: <crunch at host.net>
: Subject: Try this, it might help
: Date: Sun, 25 May 2003 20:55:39 -0400
: Mime-Version: 1.0
: Content-Type: text/html
: Message-Id: <ju3fjrBr071Afi1 at online-shop-exchange.com>
: X-UIDL: a3J!!;a(!!b:H"!'#d"!
: Status: U
:
: <html>
: <body>
: <br>
: <center>
: <img
: src="http://ju3fjrzbr071zafzi1.online-shop-exchange.com/image.asp?
: cmpid=vigrex-106.gif&dvn=J2_mJ)x)693wm13" width="0" height="0">
: <br>
: <a
: href="http://ju3fjrzbr071zafzi1.online-shop-exchange.com/ctrack.asp?
: cmpid=vigrex-106&cvn=,An8,$i$s=308F3">
: <img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/vigrex-106.gif"
: border="0"></a>
: <br>
: <br>
: <a
: href="http://ju3fjrzbr071zafzi1.online-shop-exchange.com/remove/
: remove.asp">
: <img src="http://ju3fjrzbr071zafzi1.stop-and-shop.net/unsub.gif"
: border="0"></a>
: </center>
: </body>
: </html>
:
: notice the similarities?
:
: what do you think?   Spoof?   Or Hijack?
:
: $ whois 157.156.163.201
:
: No match found for 157.156.163.201.
:
: # ARIN WHOIS database, last updated 2004-01-31 19:15
: # Enter ? for additional hints on searching ARIN's WHOIS database.
:
: No other registry has it.  I've heard it was possible to "assign" your
: own
: IP address if you had access to the routers.
:
: JD
:
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
:




More information about the list mailing list