Jump to content

SPAM with faked SMTP entry


BoMbY

Recommended Posts

Posted

Hello,

i've just received a spam message, with a faked SMTP header entry:

Received: from unknown (HELO mohamand) (213.6.1.75)
  by uhweb150XX.united-hoster.com with SMTP; 25 Nov 2006 22:23:13 +0100
Received: from 195.154.194.202 (HELO mx2.magic.fr)
	 by x.de with esmtp (0T*7Y0,8T1+) 5448M)
	 id N1J5XA-KY>+R;-A0
	 for x[at]x.de; Sat, 25 Nov 2006 21:22:52 -0120

The first entry is the correct SMTP header entry from my mail server. The second one is completely faked. (x[at]x.de is the mail address where the spam was send to, and x.de is the correct hostname). The from-IP-address which was used, seems to be chosen from the spammer (maybe randomly).

The problem is: The SpamCop parser (and maybe others) takes this faked SMTP entry for real and blame the wrong target.

Is there a way to avoid this, or maybe to build in a workaround for something like this in SpamCop?

Thanks and Regards,

BoMbY

Edit: PS: Maybe it's possible to verify the whole way through the SMTP servers (by matching the "from IP" of every entry with the "by IP" from the entry before)?

Posted

It would help if you would parse the message and cancel the reports and then post the Tracking URL. If SpamCop is actually showing forged headers as the source of the spam, then it needs to be reported to the Deputies, but they will need a Tracking URL to confirm what is going on.

Posted
It would help if you would parse the message and cancel the reports and then post the Tracking URL. If SpamCop is actually showing forged headers as the source of the spam, then it needs to be reported to the Deputies, but they will need a Tracking URL to confirm what is going on.

it does not show, however - it is not cleaned up - thus revieling reporters identity which is in that fake header, dbiel.

Posted
it does not show, however - it is not cleaned up - thus revieling reporters identity which is in that fake header, dbiel.

??? not a clue what you're talking about .. original post has no e-mail address data.

Tracking URL possibly? What do you suggest to that user for the actual header block to be seen, along with the parser decision data points?

Posting random thoughts doesn't really help anyone.

Lack of follow-up by the original poster doesn't help much either.

Posted
??? not a clue what you're talking about .. original post has no e-mail address data.

Tracking URL possibly? What do you suggest to that user for the actual header block to be seen, along with the parser decision data points?

Posting random thoughts doesn't really help anyone.

Lack of follow-up by the original poster doesn't help much either.

okay, be it random. Just a guess...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...