Jump to content

Can a email server be spoofed?


petzl
 Share

Recommended Posts

Sent this (Brazil spam)

http://www.spamcop.net/sc?id=z5460340157z3...57ac4d0044434az

216.14.119.238 is IP

Reply pretty quick

"This is spoofing. This IP address doesn't ping, and armailer.net is not on our network."

Tested email server myself and it works or worked

http://mxtoolbox.com/SuperTool.aspx?action...a216.14.119.238

Now Brazil spammer has switched to spamming from IP 216.14.118.138

http://mxtoolbox.com/SuperTool.aspx?action...a216.14.118.138

Edited by petzl
Link to comment
Share on other sites

Not sure who wrote what in your post...

Anyway....

Received: from arm10.armmailer.net (216.14.119.238)

by mxin1.cesmail.net with SMTP;

I can guarantee you that mxin1.cesmail.net accurately records the source IP when it gets email.

Please don't be distracted by the "spoofed" idea. It's impossible to forge the connecting IP used to send mail. Transferring mail requires the sending and receiving servers to send data packets back and forth to establish the connection before the transfer can take place. If the receiving server doesn't have the real IP of the sending server, it will send the data packet to the wrong place and the connection will not be established.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Link to comment
Share on other sites

To expand on what Don said, certain parts of email headers can be spoofed. All of the previous handoffs (further down in the headers) are unverifiable. The hostname that the server reports may or may not actually be its DNS name. Malicious users can add extra or fake info there.

However, the IP that connects to your own mail server has to be real in order for the connection to happen. As your MXToolbox link shows, that IP resolves to that hostname and appears to be a working email server.

As far as I can tell, all the facts support your side, and they're simply saying, "Nuh uh!" If they can dispute the MXToolbox results, then I'll take them seriously.

Link to comment
Share on other sites

Not sure who wrote what in your post...

Anyway....

Received: from arm10.armmailer.net (216.14.119.238)

by mxin1.cesmail.net with SMTP;

I can guarantee you that mxin1.cesmail.net accurately records the source IP when it gets email.

Please don't be distracted by the "spoofed" idea. It's impossible to forge the connecting IP used to send mail. Transferring mail requires the sending and receiving servers to send data packets back and forth to establish the connection before the transfer can take place. If the receiving server doesn't have the real IP of the sending server, it will send the data packet to the wrong place and the connection will not be established.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Thanks Don what I thought (but times can change just checking)

Brazil spammers are going off shore to spam to avoid countrywide block lists

I had a reply from abuse[at]eboundhost.com that

"This is spoofing. This IP address doesn't ping, and armailer.net is not on our network."

I think the abuse desk was confused

"arm10.armmailer.net" is on their network "armailer.net" is not

Link to comment
Share on other sites

As far as I can tell, all the facts support your side, and they're simply saying, "Nuh uh!" If they can dispute the MXToolbox results, then I'll take them seriously.

Thanks

Yes as Don said SpamCop email headers received by it's servers can't be spoofed

Link to comment
Share on other sites

...I think the abuse desk was confused

"arm10.armmailer.net" is on their network "armailer.net" is not

Thanks petzl, Don, InvisiBill - that sounds like the explanation. Not reasonable that the abuse desk at eboundhost.com would be ignorant of their network's operational functions or incapable of doing a reverse lookup but I guess that's the best explanation and anyone can have a bad day. Have to say armmailer.net's DNS records are not very helpful (compared to, say, those of spamcop.net) but maybe they like it like that.

Of course you could always take advantage of the handy little facility on the AR Marketing homepage:

NÃO Quero Receber (Opt-Out)

Informe o email para NÃO receber propagandas da AR Marketing ou seus clientes (não válido para newsletters):

Enter your e-mail to express your desire NOT to receive e-mail marketing from AR Marketing or its customers (not valid for newsletters):

No, no, I'm JOKING - of course you know "don't unsubscribe to anything you never subscribed to in the first place." Well, unless you're quite sure "they" already have you down as a confirmed active address and are not going to simply move that to yet another (affiliate) "subscription" list if you do "opt-out". Spammers lie (or hold back the whole truth) and they and their marketing customers are proven spammers (for the benefit of other readers).

An interesting case ...

Link to comment
Share on other sites

Thanks petzl, Don, InvisiBill - that sounds like the explanation.

[snip]

Of course you could always take advantage of the handy little facility on the AR Marketing homepage:

No, no, I'm JOKING - of course you know "don't unsubscribe to anything you never subscribed to in the first place." Well, unless you're quite sure "they" already have you down as a confirmed active address and are not going to simply move that to yet another (affiliate) "subscription" list if you do "opt-out". Spammers lie (or hold back the whole truth) and they and their marketing customers are proven spammers (for the benefit of other readers).

An interesting case ...

These Brazilian spammers are the worst one's I've seen to unsubscribe from!

Once you do within a week the spam from Brazil escalates considerably.

Not sure if they belong to a chain of spammers sharing address's?

More probably once you "unsubscribe" they sell that email address as confirmed

I don't even speak Brazilian.

Link to comment
Share on other sites

...I don't even speak Brazilian.

:lol: you should learn (Portuguese) then you can sing along with Joan when you finally get clear of the sods them -

Até amanhã eu me vou, meu amor

Sinto muito, não posso ficar

Terminei é melhor p' ra nós dois

Vou partir e você vai ficar.

Lá la la la, la la lá la lá

So now I am leaving, my love

Sorry, I cannot stay

Finished (it) is better for us both

I will leave and you must stay.

La la la la, la la la la la

(You have to admit the last line is easy at least, não?)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...