[unisog] Good spam forgery getting me.
marty.hoag at ndsu.edu
Thu Dec 16 20:01:24 GMT 2004
Isn't it pretty simple for a program to do this? Aren't they
just picking the MXer from your address rather than the other way
Pick a random e-mail address to use as the forged From:.
Do a DNS lookup for the MX handler for that domain. Insert said
MX handler host name and IP address in the forged Received: headers.
I agree, this does make it harder to spot the forgery. Of course
the Received: header may not exactly match one your MXer (or host C)
would create but that is hard to know in advance...
Pete Hickey wrote:
> Some spammer is forging spam so that it looks like it comes from
> me. Not much new there. Using my address in the "From:" isn't
> much work.
> But he is going much farther than that. He is doing an excellent
> job in forging the headers. (I am getting a number returned, with
> full headers). In looking at the headers, I see that it went from
> A-> B-> C-> D.
> B is my mxer. Now, it is NOT the same machine as my address in
> the "from:", but it is the mxer for that machine. A bit of work
> went on here to associate the from: with a machine that makes sense.
> Next, with forged headers, there is normally a discontinuity, and
> it is easy to see where it originated. There is NO discontinuity here.
> When I received the first undeliverable one, I looked at the headers
> and immediately thought that there was a way that my mxer was an open
> relay. We simultaneously tested it, and looked through the logs.
> Tests showed it was not an open relay, and furthermore, there was
> nothing in the logs of any communications from A, or to C.
> Still not convinced, we looked at our argus logs, and saw no traffic
> with A or C. Not only that, but this particular mxer, only handles
> incoming traffic and there was not a single outgoing connection.
> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers. Time stamps
> are well done too. One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> So I'm wondering, "why?" and "why me?"
> Is it to ensure continuity in headers to help it to bypass spam
> filters? Then why do they have the From: with a name that goes with
> the mxer?
More information about the unisog