Jump to content

Spammers using real headers.

Pizza_the_Hut

By Pizza_the_Hut
in SpamCop Lounge

Recommended Posts

Pizza_the_Hut Newbie

Pizza_the_Hut

Posted
Posted

<_< Hmmm, I wonder how those spammers do that.

In my opinion, every mail starts somewhere. And this starting point can't be something else then the real point where the email starts. In other words, the mail has to be send from somewhere and this will allways be the real source, spam or not spam.

I mean, every mail that is send and goes through different mx's on the internet but even if the originating host announces itself to be a different host than he really is, this simply can't be faked because the receiving host clearly identifies the sending host's ip address, right?

Can somebody explain to me how this can NOT be the host where the mail actually has been sended from? I cannot figure out how this ever should or could be done.

Pizza.

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted

...Well, I am not an internet host expert (nor do I even play one on TV) but it seems to me that if I were a spammer:

  • and I or an accomplice had control of a server other than the one my spam originates from, then I can use that second server to eliminate the information that points to the true source of my spam.
  • I were sending my spew through a zombied machine, then the true source of my spam would not be eas to discover.
  • I could just sign up for a free internet e-mail account, use it to send spam, then just switch to another free internet e-mail account when that one was shut down for AUP violation.

Link to comment
Share on other sites
Pizza_the_Hut Newbie

Pizza_the_Hut

Posted
  • Author
Posted
...Well, I am not an internet host expert (nor do I even play one on TV) but it seems to me that if I were a spammer:
  • and I or an accomplice had control of a server other than the one my spam originates from, then I can use that second server to eliminate the information that points to the true source of my spam.

29795[/snapback]

I think the administrator of this abused host should be alerted a.s.a.p. and, altough the source of the spam is not his work, he IS responsible for his MX and so he should try to eliminate the risk of being abused.
  • I were sending my spew through a zombied machine, then the true source of my spam would not be eas to discover.

29795[/snapback]

Please explain to me what a "zombied machine" is? This term is new to me. Is it some sort of host that's been left for "dead" on the internet and some hacker/spammer brought it back to life?
  • I could just sign up for a free internet e-mail account, use it to send spam, then just switch to another free internet e-mail account when that one was shut down for AUP violation.

29795[/snapback]

Ok, but is it not true in this case that the sending host still is the real sending host and not a fake? The way i read it was clearly telling that some part in the mail header lead to a host whithout being indicated as being forged while this host was not the real sending party. I still cannot figure this out.

Edited by Jeff G. to correct quoting and therefore the attribution.

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted

Nothing to do with MailHost configuration of a reporting account, not a reporting issue per se ... moved to the Lounge.

Technically, I'm not really sure what's being asked for. Put plainly, if "Internet" resources were being used respectfully, as was envisioned back in the day when all the original philosophies, software. hardware, and protocols were developed, then yes, e-mail would start 'here' .. end up 'there' ... and the path taken would be 'self-documenting' ... however, the real world is quite a bit different. Software gets installed incorrectly, systems get compromised, software gets hacked, lowlife scum are out there trying to take advantage of / exploit any natural/manufactured flaw that can be found.

The SpamCop / Forum FAQ holds a number of entries on some of this. The Glossary here (as a link from the FAQ here) has some terminology and other links offered up, there are many search engines available, Google being one of the most used these days. There's even a lot of this stuff addressed in other Topics/Discussions found just in this Forum structure itself.

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
turetzsr [at] Jun 30 2005, 05:42 PM]...Well, I am not an internet host expert (nor do I even play one on TV) but it seems to me that if I were a spammer:
  • and I or an accomplice had control of a server other than the one my spam originates from, then I can use that second server to eliminate the information that points to the true source of my spam.

29795[/snapback]

I think the administrator of this abused host should be alerted a.s.a.p. and, altough the source of the spam is not his work, he IS responsible for his MX and so he should try to eliminate the risk of being abused.

29799[/snapback]

...My hypothesis was thatthe admin of this host is either the spammer him/herself or someone in cahoots with the spammer.
turetzsr [at] Jun 30 2005, 05:42 PM]
  • I were sending my spew through a zombied machine, then the true source of my spam would not be easy to discover.

29795[/snapback]

Please explain to me what a "zombied machine" is? <snip>

29799[/snapback]

...See Wikipedia definition.
turetzsr [at] Jun 30 2005, 05:42 PM]
  • I could just sign up for a free internet e-mail account, use it to send spam, then just switch to another free internet e-mail account when that one was shut down for AUP violation.

29795[/snapback]

Ok, but is it not true in this case that the sending host still is the real sending host and not a fake? The way i read it was clearly telling that some part in the mail header lead to a host whithout being indicated as being forged while this host was not the real sending party. I still cannot figure this out.

29799[/snapback]

...For some reason (my fault, I'm sure), I can't understand what you're saying here. Perhaps someone else can interpret...?
Link to comment
Share on other sites
swingspacers Advanced Member

swingspacers

Posted
Posted

Spammers frequently add forged Received: lines to the headers of the messages that they send. SpamCop, especially when used with the MailHost feature, can usually tell the difference between the forged and the genuine Received: lines.

You are right that once the message has left the control of the spammer, he has no influence over what headers (and in particular Received: lines) are added. Therefore the genuine Received: lines will normally allow you to trace the message back to the machine where the spam originated. However, not all mail-handling machines on the Internet add headers properly and reliably. Furthermore, some mail-handling software (for example, virus scanners) sometimes modifies headers. Because of such problems, you will not always be able to determine the originating machine from the headers. While you can identify the sending machine in most cases based on the Received: line inserted by the receiving machine, this will not be true in all cases.

The machine where the spam originated will most often be a zombie, that is, a computer that, after being compromised by a hacker or a virus, is remotely controlled by the spammer. In other cases, the sending machine belongs to a provider that offers free accounts, free trial accounts, or accounts for which the spammer "paid" with stolen credit card information. In some cases, you also see spam originating from machines directly operated by the spammer, usually in conjunction with an irresponible service provider.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...