[rescue] spam

Curtis H. Wilbar Jr. rescue at hawkmountain.net
Sun Sep 7 14:01:19 CDT 2003 

The real nasty thing about SPAM today as well... is you can not trust
the received headers (at least not past the first line or two that
are inserted by your server(s) (or ISP's server(s)).

The guide I use is that if the Received line doesn't contain extensive
information (like sendmail received lines do), and if the time (with
correction from timezone) is seriously off, or you try connecting to
port 25 along the 'path'... you can get a clue as to which are real
and which are not.

Quite a lot of the spam I do see comes from open proxies... in which
case, any received lines past the first (at last for my mailbox/server)
are all fake (if present) to try to obfuscate their origin and send
spam hunters in the wrong direction.

My favorite one is when I see spam connecting that claims to be
from my IP address (it must be using HELLO with my ip address) is
always using fake received lines... such that when I see that I don't
even look past the first received line.

I've gotten a surprising amount of spam lately out of Comcast, Adelphia,
and a couple of other broadband providers....

-- Curt

>Date: Sun, 7 Sep 2003 19:52:41 +0100
>From: Mike Meredith <mike at blackhairy.demon.co.uk>
>To: The Rescue List <rescue at sunhelp.org>
>Subject: Re: [rescue] spam
>Content-Transfer-Encoding: 7bit
>X-Spam-Score: -2.5 (--)
>X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) 
*19w4gF-0002U6-OE*deRstD.SKHk*
>
>On Sun, 7 Sep 2003 13:36:52 -0500
>"Jonathan C. Patschke" <jp at celestrion.net> wrote:
>> On Sun, 7 Sep 2003, Mike Nicewonger wrote:
>> > While my comments RE China were generalized and most of my Spam is
>> > received from places like Lebanon, Korea, the USA and Brazil almost
>> > all of the spamvertized web site links the spam points to are hosted
>> > on web servers in China.
>> 
>> That's true.  I've always wondered about that.  Are sleazeballs
>> shipping servers over there, are do they just have a nation of
>> compromised Windows boxes?
>
>Both. If every compromised machine and spammer contract in China was
>fixed/terminated overnight it wouldn't be more than a week before you
>saw as much spam as before.
>
>In fact the spam we're talking about was injected at at least two points
>... an organisation in San Francisco (or based there), and an
>organisation in Michegan. Probably both are broadband ISP's with
>infected Windows client PC's.
>_______________________________________________
>rescue list - http://www.sunhelp.org/mailman/listinfo/rescue


Curtis Wilbar
Hawk Mountain Networks
rescue at hawkmountain . net


My e-mail is protected against viruses and spam by MailGuardian
                  http://www.mailguardian.net
          Top notch protection at unbelievable prices

More information about the rescue mailing list