[unisog] Good spam forgery getting me.

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Dec 16 17:31:33 GMT 2004


On Thu, 16 Dec 2004 08:40:00 EST, Pete Hickey said:

> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers.  Time stamps
> are well done too.  One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> 
> So I'm wondering, "why?"  and "why me?"

Why *not* you?

One has to wonder if somebody has some smarter ratware that's a step up from
all the mass-mailing worms we've seen, and which scavenges the disk for
a likely From: candidate to joe-job and then builds convincing Received:
headers to match the From:.

(Note that if there is such ratware out there, you'll *of course* think you're
being targeted just because you've seen 4 different 'machine C' pop up in
4 different time zones, doing the same thing to you.  Rest assured it's probably
nothing personal, and that the only reason you think you're alone is because
the spammer actually has 50,000 similar zombies, and 4 happened to have your
address on the disk.  You just don't see the *other* 49,996 joe-jobs.. ;)

> Is it to ensure continuity in headers to help it to bypass spam
> filters?  Then why do they have the From: with a name that goes with
> the mxer?

Yes, SpamAssassin (and probably others) has a continuity check.  And they
match the From: and the mx'er simply because they *started* with a From:,
and then crafted Received: lines that referenced the mx'er to increase the
veracity of the spam - some places are doing very broken "do the Recieved:
headers include the purported sender's site" checks...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20041216/279ba78f/attachment-0002.bin


More information about the unisog mailing list