[unisog] Good spam forgery getting me.

PaulFM paulfm at me.umn.edu
Thu Dec 16 18:35:08 GMT 2004


Look at all the work you went through because you thought B was the problem.
I am surpised viruses didn't do this before.  It is very easy to get the info
through a dns lookup:
	$ host -tmx shadows.uottawa.ca
	shadows.uottawa.ca mail is handled by 15 newmud.comm.uottawa.ca.

I think spammers/virus-writers are doing everything they can to make their 
mail look legit. Even if it doesn't get them by filters now - it cuts down on 
items that a filter could use to decide something is spam.

When you are checking the origin of spam/virii, it is best to go backwards on 
the received headers (top to bottom) and always assume the first machine not 
controlled by you is the source of the spam and all other received headers 
are forged (don't waste your time with the information in the un-trusted 
headers).


Pete Hickey wrote:

> Some spammer is forging spam so that it looks like it comes from
> me.  Not much new there.  Using my address in the "From:" isn't
> much work.
> 
> But he is going much farther than that.  He is doing an excellent
> job in forging the headers.  (I am getting a number returned, with
> full headers).  In looking at the headers, I see that it went from
> machines:
> 
>        A-> B-> C-> D.  
> 
> B is my mxer.  Now, it is NOT the same machine as my address in
> the "from:", but it is the mxer for that machine.  A bit of work
> went on here to associate the from: with a machine that makes sense.
> 
> Next, with forged headers, there is normally a discontinuity, and
> it is easy to see where it originated.  There is NO discontinuity here.
> 
> When I received the first undeliverable one, I looked at the headers
> and immediately thought that there was a way that my mxer was an open
> relay.  We simultaneously tested it, and looked through the logs.
> Tests showed it was not an open relay, and furthermore, there was
> nothing in the logs of any communications from A, or to C.
> 
> Still not convinced, we looked at our argus logs, and saw no traffic
> with A or C.  Not only that, but this particular mxer, only handles
> incoming traffic and there was not a single outgoing connection.
> 
> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers.  Time stamps
> are well done too.  One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> 
> So I'm wondering, "why?"  and "why me?"
> 
> Is it to ensure continuity in headers to help it to bypass spam
> filters?  Then why do they have the From: with a name that goes with
> the mxer?
> 
> 
> 

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------



More information about the unisog mailing list