[unisog] Good spam forgery getting me.

Marty Hoag marty.hoag at ndsu.edu
Thu Dec 16 20:01:24 GMT 2004

    Isn't it pretty simple for a program to do this? Aren't they
just picking the MXer from your address rather than the other way
    Pick a random e-mail address to use as the forged From:.
Do a DNS lookup for the MX handler for that domain. Insert said
MX handler host name and IP address in the forged Received: headers.
    I agree, this does make it harder to spot the forgery. Of course
the Received: header may not exactly match one your MXer (or host C)
would create but that is hard to know in advance...


Pete Hickey wrote:

> Some spammer is forging spam so that it looks like it comes from
> me.  Not much new there.  Using my address in the "From:" isn't
> much work.
> But he is going much farther than that.  He is doing an excellent
> job in forging the headers.  (I am getting a number returned, with
> full headers).  In looking at the headers, I see that it went from
> machines:
>        A-> B-> C-> D.  
> B is my mxer.  Now, it is NOT the same machine as my address in
> the "from:", but it is the mxer for that machine.  A bit of work
> went on here to associate the from: with a machine that makes sense.
> Next, with forged headers, there is normally a discontinuity, and
> it is easy to see where it originated.  There is NO discontinuity here.
> When I received the first undeliverable one, I looked at the headers
> and immediately thought that there was a way that my mxer was an open
> relay.  We simultaneously tested it, and looked through the logs.
> Tests showed it was not an open relay, and furthermore, there was
> nothing in the logs of any communications from A, or to C.
> Still not convinced, we looked at our argus logs, and saw no traffic
> with A or C.  Not only that, but this particular mxer, only handles
> incoming traffic and there was not a single outgoing connection.
> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers.  Time stamps
> are well done too.  One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> So I'm wondering, "why?"  and "why me?"
> Is it to ensure continuity in headers to help it to bypass spam
> filters?  Then why do they have the From: with a name that goes with
> the mxer?

More information about the unisog mailing list