Re: {SPAM?} Re: [SLUG] just received genuine spam on this list

From: Paul M Foster (paulf@quillandmouse.com)
Date: Mon May 17 2004 - 18:43:33 EDT

Next message: Dylan William Hardison: "Re: [SLUG] Next St. Pete meeting."
Previous message: Ian Blenke: "Re: {SPAM?} Re: [SLUG] SS Lug"
In reply to: Eben King: "Re: {SPAM?} Re: [SLUG] just received genuine spam on this list"
Next in thread: Bob Stia: "Re: [SLUG] just received genuine spam on this list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, May 17, 2004 at 11:57:06AM -0400, Eben King wrote:

> On Sun, 16 May 2004, Robin 'Roblimo' Miller wrote:
>
> > >This is a case where what _looks_ real isn't. Most of the addresses here
> > >are spoofed. Although the "To:" header says one thing, the envelope
> > >header is something else, which is why it got to you, but not to the
> > >list in general.
> >
> > I get complaints all the time about spam "from" NewsForge, Slashdot,
> > SourceForge, freshmeat, and other OSDN sites that, if you look at the
> > headers, really came through open relays in places like Nigeria, Korea,
> > China or one of the former Soviet Republics.
>
> OK, given the headers I posted, how do I tell where it _really_ came from,
> without a manual method such as whois? Or is that the most (only)
> reliable way?

Yes. And no.

>
> I assume it's among the "Received:" headers somewhere, and that some of
> them are forged. How do I tell the difference between real and fake?
>

Given that the first few headers are forged/spoofed, I don't know that
you could trust any others. I don't know all the intricacies of MTAs and
such, but I imagine that a bright hacker could write a piece of software
that would forge all the headers up to the point where it's actually
handed off to a real network, and make it look like it's all legit, like
this one. The interesting thing here is that these headers are meant to
look like they're coming from a place we would consider legitimate. But
to maintain that kind of legitimacy, you could only send mail like that
to about 200 people (the number on the SLUG list). Anyone else would
look at the headers and think, "Who's this SLUG place?".

I've seen more of these forged headers lately. I used to be able to get
some clue about who was doing this stuff, but now I have no idea. Since
it seems that you can't track who this is or where it actually comes
from, I'd suggest simply blocking it one way or another (spamassassin,
spambouncer, bogofilter, etc.).

Paul
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

Next message: Dylan William Hardison: "Re: [SLUG] Next St. Pete meeting."
Previous message: Ian Blenke: "Re: {SPAM?} Re: [SLUG] SS Lug"
In reply to: Eben King: "Re: {SPAM?} Re: [SLUG] just received genuine spam on this list"
Next in thread: Bob Stia: "Re: [SLUG] just received genuine spam on this list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:33:03 EDT