[unisog] Good spam forgery getting me.
ballard at engr.wisc.edu
Thu Dec 16 17:55:33 GMT 2004
On Thu, 16 Dec 2004 08:40:00 -0500 Pete Hickey wrote:
> A-> B-> C-> D.
> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers. Time stamps
> are well done too. One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> So I'm wondering, "why?" and "why me?"
> Is it to ensure continuity in headers to help it to bypass spam
> filters? Then why do they have the From: with a name that goes with
> the mxer?
How: You're most certainly correct. You can only trust headers working
BACKWARDS from D. Once you hit something you don't trust, anything below
should be treated as bogus. It may be clever and filled with correct
information probably gleaned out of MX records, but it's bogus none-the-less.
If C's a DSL modem, C's the spammer.
Why: As you suspect it is most certainly used to trick spam filters and trick
some not-quite-newbie-but-yet-not-expert users into thinking the message is
legit ("...but it SAYS your server in the headers!...").
Why you: You won the wheel of spammer misfortune! :)
Jeff Ballard <ballard at engr.wisc.edu> 608-265-5090
Unix Systems Manager, Computer-Aided Engineering Center
More information about the unisog