[Dshield] Spam and spoofing my from address

Mike Easter mike.easter at gmail.com
Wed Aug 10 04:07:09 GMT 2005

Tony Earnshaw wrote:
> Andy Brown:

>> Examining the bounce it showed that the message was spam, using my
>> address as the FROM address (nothing spectacular so far really).
>> I looked closer, and they're being more clever than that, they're
>> actually spoofing my server headers also, as the headers show my
>> server name, IP address, etc as a legitimate email would.
> There's NO WAY they could falsify the track (Received: headers) to
> your node. No way. It's in your headers.

A spammer can put any kind of Received line s/he likes into the headers
before injecting or transmitting that they want.

Bogus header elements including bogus Received or tracelines are
'normal' in spam.  It is usually pretty easy to parse the headers and
chain from the legitimate headers down to the first sign of bogosity and
spot or discern the bogus headers/ Received lines.

>> Now thats not that difficult to do, I know, just grab MX records,
>> etc, etc but the problem I've got is that some VERY dumb sysadmins
>> out there are now mailing my postmaster account saying stop sending
>> or they'll contact my upstream and have me cut-off.
>> Luckily my upstream is myself! and the upstream from that is via
>> business contacts, so very little chance they'd get me cut-off, but
>> what I'm worried about is getting blacklisted, etc, etc.
>> Does anyone have similar experiences, and have any suggestions on
>> how to combat this problem?

In the first place, regards the bounces.  Misdirected bounces are
reportable to a blocklist, spamcops.  Misdirected bouncers are
problematic and should be reconfigured.

In the other place, the business of properly parsing headers and
determining the source is generally accomplishable.  Mistaking the
source because of forged headerlines is an avoidable problem usually.

>> I'm starting to get upwards of 500+ bounces a day now, so the spammer
>> out there is really sending them through at some rate.
>> I can paste headers, etc to anyone who thinks they can shed light or
>> provide possible answers (its not the email addresses i use here)!
> Send me some examples off list, I'll get back on list later. Include
> something of what's genuine and what you reckon is forged.

I don't mind receiving a spam from someone which is properly emailed by
forwarding as an attachment which will retain the original structure
intact.  Maybe Tony and I will have the same opinion as to its source.

Mike Easter

More information about the list mailing list