[unisog] Good spam forgery getting me.

Jeff Ballard ballard at engr.wisc.edu
Thu Dec 16 17:55:33 GMT 2004

On Thu, 16 Dec 2004 08:40:00 -0500  Pete Hickey wrote:
> A-> B-> C-> D.  
> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers.  Time stamps
> are well done too.  One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> So I'm wondering, "why?"  and "why me?"
> Is it to ensure continuity in headers to help it to bypass spam
> filters?  Then why do they have the From: with a name that goes with
> the mxer?

How: You're most certainly correct.  You can only trust headers working 
BACKWARDS from D.  Once you hit something you don't trust, anything below 
should be treated as bogus.  It may be clever and filled with correct 
information probably gleaned out of MX records, but it's bogus none-the-less.

If C's a DSL modem, C's the spammer.

Why: As you suspect it is most certainly used to trick spam filters and trick 
some not-quite-newbie-but-yet-not-expert users into thinking the message is 
legit ("...but it SAYS your server in the headers!...").

Why you: You won the wheel of spammer misfortune! :)


Jeff Ballard <ballard at engr.wisc.edu>   608-265-5090
Unix Systems Manager, Computer-Aided Engineering Center

More information about the unisog mailing list