[unisog] Good spam forgery getting me.

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Thu Dec 16 18:47:10 GMT 2004

We had that happen a while back with an old DNS entry that was retired.

I think the answer is that A-  They can, B- many sites now use reverse
lookup or they reject messages.  If the source data appears valid, it
goes through.


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Pete Hickey
Sent: Thursday, December 16, 2004 8:40 AM
To: unisog at sans.org
Subject: [unisog] Good spam forgery getting me.

Some spammer is forging spam so that it looks like it comes from
me.  Not much new there.  Using my address in the "From:" isn't
much work.

But he is going much farther than that.  He is doing an excellent
job in forging the headers.  (I am getting a number returned, with
full headers).  In looking at the headers, I see that it went from

       A-> B-> C-> D.  

B is my mxer.  Now, it is NOT the same machine as my address in
the "from:", but it is the mxer for that machine.  A bit of work
went on here to associate the from: with a machine that makes sense.

Next, with forged headers, there is normally a discontinuity, and
it is easy to see where it originated.  There is NO discontinuity here.

When I received the first undeliverable one, I looked at the headers
and immediately thought that there was a way that my mxer was an open
relay.  We simultaneously tested it, and looked through the logs.
Tests showed it was not an open relay, and furthermore, there was
nothing in the logs of any communications from A, or to C.

Still not convinced, we looked at our argus logs, and saw no traffic
with A or C.  Not only that, but this particular mxer, only handles
incoming traffic and there was not a single outgoing connection.

The only conclusion I can come up with is that the spam is coming
from C, and they are working backward to forge headers.  Time stamps
are well done too.  One clue, is that the machine C frequently appears
to be a DSL or cable connection.

So I'm wondering, "why?"  and "why me?"

Is it to ensure continuity in headers to help it to bypass spam
filters?  Then why do they have the From: with a name that goes with
the mxer?

Pete Hickey                                       /~\  The ASCII
The University of Ottawa                          \ /  Ribbon Campaign
Ottawa, Ontario                                    X   Against HTML
Canada                                            / \  Email!
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list