Jump to content

SPAM with faked SMTP entry


BoMbY
 Share

Recommended Posts

Hello,

i've just received a spam message, with a faked SMTP header entry:

Received: from unknown (HELO mohamand) (213.6.1.75)
  by uhweb150XX.united-hoster.com with SMTP; 25 Nov 2006 22:23:13 +0100
Received: from 195.154.194.202 (HELO mx2.magic.fr)
	 by x.de with esmtp (0T*7Y0,8T1+) 5448M)
	 id N1J5XA-KY>+R;-A0
	 for x[at]x.de; Sat, 25 Nov 2006 21:22:52 -0120

The first entry is the correct SMTP header entry from my mail server. The second one is completely faked. (x[at]x.de is the mail address where the spam was send to, and x.de is the correct hostname). The from-IP-address which was used, seems to be chosen from the spammer (maybe randomly).

The problem is: The SpamCop parser (and maybe others) takes this faked SMTP entry for real and blame the wrong target.

Is there a way to avoid this, or maybe to build in a workaround for something like this in SpamCop?

Thanks and Regards,

BoMbY

Edit: PS: Maybe it's possible to verify the whole way through the SMTP servers (by matching the "from IP" of every entry with the "by IP" from the entry before)?

Edited by BoMbY
Link to comment
Share on other sites

It would help if you would parse the message and cancel the reports and then post the Tracking URL. If SpamCop is actually showing forged headers as the source of the spam, then it needs to be reported to the Deputies, but they will need a Tracking URL to confirm what is going on.

Link to comment
Share on other sites

It would help if you would parse the message and cancel the reports and then post the Tracking URL. If SpamCop is actually showing forged headers as the source of the spam, then it needs to be reported to the Deputies, but they will need a Tracking URL to confirm what is going on.

it does not show, however - it is not cleaned up - thus revieling reporters identity which is in that fake header, dbiel.

Link to comment
Share on other sites

it does not show, however - it is not cleaned up - thus revieling reporters identity which is in that fake header, dbiel.

??? not a clue what you're talking about .. original post has no e-mail address data.

Tracking URL possibly? What do you suggest to that user for the actual header block to be seen, along with the parser decision data points?

Posting random thoughts doesn't really help anyone.

Lack of follow-up by the original poster doesn't help much either.

Link to comment
Share on other sites

??? not a clue what you're talking about .. original post has no e-mail address data.

Tracking URL possibly? What do you suggest to that user for the actual header block to be seen, along with the parser decision data points?

Posting random thoughts doesn't really help anyone.

Lack of follow-up by the original poster doesn't help much either.

okay, be it random. Just a guess...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...