[unisog] Good spam forgery getting me.

Peter Van Epp vanepp at sfu.ca
Thu Dec 16 23:37:59 GMT 2004

	I got a spamcop complaint with similar header forging a month or two
ago. Like you, I could identify it really wasn't us (both because inbound 
25 is blocked except to mail servers which this wasn't, but more definitively 
because argus didn't record the traffic in or out on either of our links).
Forwarding that explaination to the spamcop folks apparantly verified other
reports and caused the real source to be blocked. The only oddness (but after
thinking about it, we would be the only ones that could verify it) was that
the outbound hop (as is probably true in your case) isn't to the destination's
MX, but directly to a host. Luckily I thought about that before suggesting it
as a test to spamcop, because an infected machine on my site could in fact do
that too so it isn't definitive. I'm afraid the best way to beat this is in 
fact argus verifying that the traffic in and out in fact didn't originate with 
your site, but that still means the work of verifying it and communicating that
to the person complaining.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Thu, Dec 16, 2004 at 08:40:00AM -0500, Pete Hickey wrote:
> Some spammer is forging spam so that it looks like it comes from
> me.  Not much new there.  Using my address in the "From:" isn't
> much work.
> But he is going much farther than that.  He is doing an excellent
> job in forging the headers.  (I am getting a number returned, with
> full headers).  In looking at the headers, I see that it went from
> machines:
>        A-> B-> C-> D.  
> B is my mxer.  Now, it is NOT the same machine as my address in
> the "from:", but it is the mxer for that machine.  A bit of work
> went on here to associate the from: with a machine that makes sense.
> Next, with forged headers, there is normally a discontinuity, and
> it is easy to see where it originated.  There is NO discontinuity here.
> When I received the first undeliverable one, I looked at the headers
> and immediately thought that there was a way that my mxer was an open
> relay.  We simultaneously tested it, and looked through the logs.
> Tests showed it was not an open relay, and furthermore, there was
> nothing in the logs of any communications from A, or to C.
> Still not convinced, we looked at our argus logs, and saw no traffic
> with A or C.  Not only that, but this particular mxer, only handles
> incoming traffic and there was not a single outgoing connection.
> The only conclusion I can come up with is that the spam is coming
> from C, and they are working backward to forge headers.  Time stamps
> are well done too.  One clue, is that the machine C frequently appears
> to be a DSL or cable connection.
> So I'm wondering, "why?"  and "why me?"
> Is it to ensure continuity in headers to help it to bypass spam
> filters?  Then why do they have the From: with a name that goes with
> the mxer?
> -- 
> Pete Hickey                                       /~\  The ASCII
> The University of Ottawa                          \ /  Ribbon Campaign
> Ottawa, Ontario                                    X   Against HTML
> Canada                                            / \  Email!
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list