[unisog] Good spam forgery getting me.

Pete Hickey pete at shadows.uottawa.ca
Thu Dec 16 13:40:00 GMT 2004


Some spammer is forging spam so that it looks like it comes from
me.  Not much new there.  Using my address in the "From:" isn't
much work.

But he is going much farther than that.  He is doing an excellent
job in forging the headers.  (I am getting a number returned, with
full headers).  In looking at the headers, I see that it went from
machines:

       A-> B-> C-> D.  

B is my mxer.  Now, it is NOT the same machine as my address in
the "from:", but it is the mxer for that machine.  A bit of work
went on here to associate the from: with a machine that makes sense.

Next, with forged headers, there is normally a discontinuity, and
it is easy to see where it originated.  There is NO discontinuity here.

When I received the first undeliverable one, I looked at the headers
and immediately thought that there was a way that my mxer was an open
relay.  We simultaneously tested it, and looked through the logs.
Tests showed it was not an open relay, and furthermore, there was
nothing in the logs of any communications from A, or to C.

Still not convinced, we looked at our argus logs, and saw no traffic
with A or C.  Not only that, but this particular mxer, only handles
incoming traffic and there was not a single outgoing connection.

The only conclusion I can come up with is that the spam is coming
from C, and they are working backward to forge headers.  Time stamps
are well done too.  One clue, is that the machine C frequently appears
to be a DSL or cable connection.

So I'm wondering, "why?"  and "why me?"

Is it to ensure continuity in headers to help it to bypass spam
filters?  Then why do they have the From: with a name that goes with
the mxer?



-- 
Pete Hickey                                       /~\  The ASCII
The University of Ottawa                          \ /  Ribbon Campaign
Ottawa, Ontario                                    X   Against HTML
Canada                                            / \  Email!



More information about the unisog mailing list