Jump to content
Sign in to follow this  
petzl

Can a email server be spoofed?

Recommended Posts

Sent this (Brazil spam)

http://www.spamcop.net/sc?id=z5460340157z3...57ac4d0044434az

216.14.119.238 is IP

Reply pretty quick

"This is spoofing. This IP address doesn't ping, and armailer.net is not on our network."

Tested email server myself and it works or worked

http://mxtoolbox.com/SuperTool.aspx?action...a216.14.119.238

Now Brazil spammer has switched to spamming from IP 216.14.118.138

http://mxtoolbox.com/SuperTool.aspx?action...a216.14.118.138

Edited by petzl

Share this post


Link to post
Share on other sites

Not sure who wrote what in your post...

Anyway....

Received: from arm10.armmailer.net (216.14.119.238)

by mxin1.cesmail.net with SMTP;

I can guarantee you that mxin1.cesmail.net accurately records the source IP when it gets email.

Please don't be distracted by the "spoofed" idea. It's impossible to forge the connecting IP used to send mail. Transferring mail requires the sending and receiving servers to send data packets back and forth to establish the connection before the transfer can take place. If the receiving server doesn't have the real IP of the sending server, it will send the data packet to the wrong place and the connection will not be established.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Share this post


Link to post
Share on other sites

To expand on what Don said, certain parts of email headers can be spoofed. All of the previous handoffs (further down in the headers) are unverifiable. The hostname that the server reports may or may not actually be its DNS name. Malicious users can add extra or fake info there.

However, the IP that connects to your own mail server has to be real in order for the connection to happen. As your MXToolbox link shows, that IP resolves to that hostname and appears to be a working email server.

As far as I can tell, all the facts support your side, and they're simply saying, "Nuh uh!" If they can dispute the MXToolbox results, then I'll take them seriously.

Share this post


Link to post
Share on other sites

Not sure who wrote what in your post...

Anyway....

Received: from arm10.armmailer.net (216.14.119.238)

by mxin1.cesmail.net with SMTP;

I can guarantee you that mxin1.cesmail.net accurately records the source IP when it gets email.

Please don't be distracted by the "spoofed" idea. It's impossible to forge the connecting IP used to send mail. Transferring mail requires the sending and receiving servers to send data packets back and forth to establish the connection before the transfer can take place. If the receiving server doesn't have the real IP of the sending server, it will send the data packet to the wrong place and the connection will not be established.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Thanks Don what I thought (but times can change just checking)

Brazil spammers are going off shore to spam to avoid countrywide block lists

I had a reply from abuse[at]eboundhost.com that

"This is spoofing. This IP address doesn't ping, and armailer.net is not on our network."

I think the abuse desk was confused

"arm10.armmailer.net" is on their network "armailer.net" is not

Share this post


Link to post
Share on other sites

As far as I can tell, all the facts support your side, and they're simply saying, "Nuh uh!" If they can dispute the MXToolbox results, then I'll take them seriously.

Thanks

Yes as Don said SpamCop email headers received by it's servers can't be spoofed

Share this post


Link to post
Share on other sites
...I think the abuse desk was confused

"arm10.armmailer.net" is on their network "armailer.net" is not

Thanks petzl, Don, InvisiBill - that sounds like the explanation. Not reasonable that the abuse desk at eboundhost.com would be ignorant of their network's operational functions or incapable of doing a reverse lookup but I guess that's the best explanation and anyone can have a bad day. Have to say armmailer.net's DNS records are not very helpful (compared to, say, those of spamcop.net) but maybe they like it like that.

Of course you could always take advantage of the handy little facility on the AR Marketing homepage:

NÃO Quero Receber (Opt-Out)

Informe o email para NÃO receber propagandas da AR Marketing ou seus clientes (não válido para newsletters):

Enter your e-mail to express your desire NOT to receive e-mail marketing from AR Marketing or its customers (not valid for newsletters):

No, no, I'm JOKING - of course you know "don't unsubscribe to anything you never subscribed to in the first place." Well, unless you're quite sure "they" already have you down as a confirmed active address and are not going to simply move that to yet another (affiliate) "subscription" list if you do "opt-out". Spammers lie (or hold back the whole truth) and they and their marketing customers are proven spammers (for the benefit of other readers).

An interesting case ...

Share this post


Link to post
Share on other sites

Thanks petzl, Don, InvisiBill - that sounds like the explanation.

[snip]

Of course you could always take advantage of the handy little facility on the AR Marketing homepage:

No, no, I'm JOKING - of course you know "don't unsubscribe to anything you never subscribed to in the first place." Well, unless you're quite sure "they" already have you down as a confirmed active address and are not going to simply move that to yet another (affiliate) "subscription" list if you do "opt-out". Spammers lie (or hold back the whole truth) and they and their marketing customers are proven spammers (for the benefit of other readers).

An interesting case ...

These Brazilian spammers are the worst one's I've seen to unsubscribe from!

Once you do within a week the spam from Brazil escalates considerably.

Not sure if they belong to a chain of spammers sharing address's?

More probably once you "unsubscribe" they sell that email address as confirmed

I don't even speak Brazilian.

Share this post


Link to post
Share on other sites
...I don't even speak Brazilian.

:lol: you should learn (Portuguese) then you can sing along with Joan when you finally get clear of the sods them -

Até amanhã eu me vou, meu amor

Sinto muito, não posso ficar

Terminei é melhor p' ra nós dois

Vou partir e você vai ficar.

Lá la la la, la la lá la lá

So now I am leaving, my love

Sorry, I cannot stay

Finished (it) is better for us both

I will leave and you must stay.

La la la la, la la la la la

(You have to admit the last line is easy at least, não?)

Share this post


Link to post
Share on other sites
I don't even speak Brazilian.

Nor do they, it seems, speak Australian :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×