Jump to content
Sign in to follow this  
StevenUnderwood

Received_SPF: record within spam

Recommended Posts

I just received this spam message at work over the weekend.

http://www.spamcop.net/sc?id=z805297624z99...7106e4c25b943fz

One interesting part is the following line where x was equal to the email address the message was sent to.

Received_SPF:  pass (go.com: domain of x designates 222.136.135.217 as permitted sender)
It seems to be saying that my domain is allowing this host to send messages to us. I have no SPF records because XO has not implemented the capability of inserting text into our records (we control the DNS entries via a web interface). My last request to modify it was met with dumfounded silence. Anyone more up on SPF that can confirm why that line is there? Or is this another case of the spammers being more compliant of new anti-spam measures than common folk.

Share this post


Link to post
Share on other sites

Does any other email you get via Postini to that email address contain a "Received_SPF" Header Line? If not (a significant possibility from my POV), then the symptom is of spammer FUD. If so, Postini is misstating "domain of x does not designate 222.136.135.217 as a blocked sender" as "domain of x designates 222.136.135.217 as permitted sender".

Share this post


Link to post
Share on other sites
Does any other email you get via Postini to that email address contain a "Received_SPF" Header Line?

32621[/snapback]

No, that line was not put there by Postini. That is what I figured.

Share this post


Link to post
Share on other sites
No, that line was not put there by Postini.  That is what I figured.

32628[/snapback]

The spam was sent from a machine at IP 222.136.135.217, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×