Jump to content

Received_SPF: record within spam


StevenUnderwood

Recommended Posts

I just received this spam message at work over the weekend.

http://www.spamcop.net/sc?id=z805297624z99...7106e4c25b943fz

One interesting part is the following line where x was equal to the email address the message was sent to.

Received_SPF:  pass (go.com: domain of x designates 222.136.135.217 as permitted sender)
It seems to be saying that my domain is allowing this host to send messages to us. I have no SPF records because XO has not implemented the capability of inserting text into our records (we control the DNS entries via a web interface). My last request to modify it was met with dumfounded silence. Anyone more up on SPF that can confirm why that line is there? Or is this another case of the spammers being more compliant of new anti-spam measures than common folk.
Link to comment
Share on other sites

Does any other email you get via Postini to that email address contain a "Received_SPF" Header Line? If not (a significant possibility from my POV), then the symptom is of spammer FUD. If so, Postini is misstating "domain of x does not designate 222.136.135.217 as a blocked sender" as "domain of x designates 222.136.135.217 as permitted sender".

Link to comment
Share on other sites

No, that line was not put there by Postini.  That is what I figured.

32628[/snapback]

The spam was sent from a machine at IP 222.136.135.217, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...