StevenUnderwood Posted September 12, 2005 Share Posted September 12, 2005 I just received this spam message at work over the weekend. http://www.spamcop.net/sc?id=z805297624z99...7106e4c25b943fz One interesting part is the following line where x was equal to the email address the message was sent to. Received_SPF: pass (go.com: domain of x designates 222.136.135.217 as permitted sender)It seems to be saying that my domain is allowing this host to send messages to us. I have no SPF records because XO has not implemented the capability of inserting text into our records (we control the DNS entries via a web interface). My last request to modify it was met with dumfounded silence. Anyone more up on SPF that can confirm why that line is there? Or is this another case of the spammers being more compliant of new anti-spam measures than common folk. Link to comment Share on other sites More sharing options...
Jeff G. Posted September 12, 2005 Share Posted September 12, 2005 Does any other email you get via Postini to that email address contain a "Received_SPF" Header Line? If not (a significant possibility from my POV), then the symptom is of spammer FUD. If so, Postini is misstating "domain of x does not designate 222.136.135.217 as a blocked sender" as "domain of x designates 222.136.135.217 as permitted sender". Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 12, 2005 Author Share Posted September 12, 2005 Does any other email you get via Postini to that email address contain a "Received_SPF" Header Line?32621[/snapback] No, that line was not put there by Postini. That is what I figured. Link to comment Share on other sites More sharing options...
get-even Posted September 12, 2005 Share Posted September 12, 2005 No, that line was not put there by Postini. That is what I figured. 32628[/snapback] The spam was sent from a machine at IP 222.136.135.217, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.