You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jim Hermann - UUN Hostmaster <ho...@uuism.net> on 2006/06/26 05:45:07 UTC

Examples of Received Headers

Here are examples of the Received Headers for the type of spam that are
being sent with forged email addresses for a domain that I host.  These at
the last 10 bounced messages that I received, so it is fairly
representative.

Granted, 3 out of 10 messages originated in Romania.  However, 3 out of 10
messages originated in the US.  I am looking at the first (bottom) Received
Header in each case.  I send complaints to the abuse email address listed in
the WHOIS record for this IP Address.

Do you think that these are victims of some sort that their ISP would want
to help?

Jim

BTW, Notice that the HELO signatures have an identifying characteristic:
ljxr.pzt mclbfk.wdui zsgnwd.zctjrq tmoju.zxlvfn sq.ywima sejah.nehj btm.ssp
ggav monmib yo.iszxuj - They look ramdomized to me.

Received: from p7143-ipbf1101marunouchi.tokyo.ocn.ne.jp
(p7143-ipbf1101marunouchi.tokyo.ocn.ne.jp [124.101.228.143])
	by ms18.hinet.net (8.8.8/8.8.8) with SMTP id JAA13691
	for <ga...@ms18.hinet.net>; Mon, 26 Jun 2006 09:33:54 +0800 (CST)
Received: (qmail 10158 invoked from network); Mon, 26 Jun 2006 10:33:43
+0900
Received: from unknown (HELO ljxr.pzt) (124.101.173.135)
	by p7143-ipbf1101marunouchi.tokyo.ocn.ne.jp with SMTP; Mon, 26 Jun
2006 10:33:43 +0900

Received: from Unknown [85.186.176.196] by mailgateway - SurfControl E-mail
Filter (5.0.1); Sat, 24 Jun 2006 14:42:32 -0400
Received: from [85.186.170.61] (helo=mclbfk.wdui)
	by intesrl.b.astral.ro with smtp (Exim 4.43)
	id 1FuD5L-0002Zo-En; Sat, 24 Jun 2006 21:42:23 +0300

Received: from smtp.4sir.com ([192.168.1.5]) by DC01.FAVUS.Local with
Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 24 Jun 2006 23:31:43 +0100
Received: from pool-71-114-71-136.washdc.dsl-w.verizon.net ([71.114.71.136])
by smtp.4sir.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 24 Jun 2006 23:33:21 +0100
Received: from [71.114.98.170] (helo=zsgnwd.zctjrq)
	by pool-71-114-71-136.washdc.dsl-w.verizon.net with smtp (Exim 4.43)
	id 1FuGgL-0005kC-Ii; Sat, 24 Jun 2006 18:32:49 -0400

Received: from mx11.singnet.com.sg (mx11.singnet.com.sg [165.21.74.121])
	by oxygen.singnet.com.sg (8.13.6/8.13.6) with ESMTP id
k5ONX3ho031563
	for <aw...@pop3.singnet.com.sg>; Sun, 25 Jun 2006 07:33:03 +0800
Received: from host115-247-static.73-81-b.business.telecomitalia.it
(host115-247-static.73-81-b.business.telecomitalia.it [81.73.247.115])
	by mx11.singnet.com.sg (8.13.6/8.13.6) with SMTP id k5ONWqkY002113
	for <aw...@singnet.com.sg>; Sun, 25 Jun 2006 07:32:55 +0800
Received: (qmail 23527 invoked from network); Sun, 25 Jun 2006 01:42:22
+0200
Received: from unknown (HELO tmoju.zxlvfn) (81.73.95.50)
	by host115-247-static.73-81-b.business.telecomitalia.it with SMTP;
Sun, 25 Jun 2006 01:42:22 +0200

Received: (qmail 26787 invoked from network); 25 Jun 2006 00:33:52 -0000
Received: from unknown (HELO qsmtp-mx-06) ([192.168.220.21])
          (envelope-sender <tr...@fuusalbany.org>)
          by 0 (qmail-ldap-1.03) with SMTP
          for <cr...@arnet.com.ar>; 25 Jun 2006 00:33:52 -0000
Received: from unknown (HELO pool-71-114-71-136.washdc.dsl-w.verizon.net)
(71.114.71.136)
  by qsmtp-mx-06.arnet.net.ar with SMTP; 25 Jun 2006 00:31:32 -0000
Received: from sq.ywima ([71.114.122.226])
	by pool-71-114-71-136.washdc.dsl-w.verizon.net (8.13.2/8.13.2) with
SMTP id k5P0cKSJ019453;
	Sat, 24 Jun 2006 20:38:20 -0400

Received: (qmail 392 invoked by uid 509); 18 Jun 2006 02:41:33 -0000
Received: from 24.8.155.205 by unimed.mail (envelope-from
<fu...@fuusalbany.org>, uid 507) with qmail-scanner-1.25 
 (clamdscan: 0.86.2/1099. uvscan: v4.3.20/v4307.  
 Clear:RC:0(24.8.155.205):. 
 Processed in 2.367968 secs); 18 Jun 2006 02:41:33 -0000
Received: from c-24-8-155-205.hsd1.co.comcast.net (24.8.155.205)
  by 0 with SMTP; 18 Jun 2006 02:41:30 -0000
Received: from [24.8.54.30] (helo=sejah.nehj)
	by c-24-8-155-205.hsd1.co.comcast.net with smtp (Exim 4.43)
	id 1FrnEa-0003l9-6J; Sat, 17 Jun 2006 20:41:56 -0600

Received: from unknown (HELO intesrl.b.astral.ro) (85.186.176.196)
  by 0 with SMTP; 25 Jun 2006 08:25:34 -0000
Received: from btm.ssp ([85.186.101.58])
	by intesrl.b.astral.ro (8.13.3/8.13.3) with SMTP id k5P8PpYD071896;
	Sun, 25 Jun 2006 11:25:51 +0300

Received: (from ciwr [210.91.30.56])
 by inns-smtp1.goldenrule.com (SMSSMTP 4.1.9.35) with SMTP id
M2006062507533704113
 for <hm...@goldenrule.com>; Sun, 25 Jun 2006 07:53:38 -0400
Received: from [210.91.212.147] (helo=ggav)
	by ciwr with smtp (Exim 4.43)
	id 1FuTHa-0001IJ-ME; Sun, 25 Jun 2006 21:00:06 +0900

Received: from intesrl.b.astral.ro ([85.186.176.196])
	by offsite1.bytemark.co.uk with smtp (Exim 4.34)
	id 1FuUvq-0005IC-Dx
	for no@pupeno.com; Sun, 25 Jun 2006 13:45:47 +0000
Received: from [85.186.196.87] (helo=monmib)
	by intesrl.b.astral.ro with smtp (Exim 4.43)
	id 1FuUuQ-0002YS-Od; Sun, 25 Jun 2006 16:44:18 +0300

Received: from jjwd [58.19.227.40] by imail03.nt.aitcom.net
  (SMTPD32-8.05) id A03011950150; Sun, 25 Jun 2006 10:39:44 -0400
Received: from yo.iszxuj ([58.19.230.149])
	by jjwd (8.13.5/8.13.5) with SMTP id k5PEWbxN028325;
	Sun, 25 Jun 2006 22:32:37 +0800

Re: [SPAM] Examples of Received Headers

Posted by Graham Murray <gr...@gmurray.org.uk>.

"Jim Hermann - UUN Hostmaster" <ho...@uuism.net> writes:

> SPF is not enough.  It does not eliminate the zombie or spambot.

It is if you set your SPF record to allow your mailer(s) and hard fail
on all others *and* the recipient of the forged email checks against
SPF. The problems come when recipients do not check (and act on) SPF
even when you have defined a 'tight' SPF record.

RE: Examples of Received Headers

Posted by "John D. Hardin" <jh...@impsec.org>.

On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote:

> > On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote:
> > 
> > > Here are examples of the Received Headers for the type of spam
> > > that are being sent with forged email addresses for a domain that
> > > I host.
> > 
> > The Received headers in spams cannot be trusted, except for the
> > Received headers put in by relays run by *you* or someone you trust.
> > Received headers are trivially easy to forge and cary very little
> > useful information in spams.
> 
> These are Received Headers provided by the ISP that sent me the
> bounce message, not because of spam, but because the recipient did
> not exist.  They put the Original Spam Full Headers in the message
> that they sent to me.

Erm. Again, I'm not clear on what you provided examples of.

Were the Received headers from the message headers of the bounce
itself? If so, contact the ISP that you received the message from and
ask them to implement SPF checks.

Were the Received headers from the *body* of the bounce, where the
other ISP put a copy of the spam headers? If so, you can't trust them
and for the most part trying to parse them is a waste of time.

> If I can trust that my server identified the last server and the
> last server was the recipient server, then I think I can trust
> that they sent me the Full Headers as they received them.  Yes, I
> know that the prior Received Headers could be forged.

The headers as they received them are also likely forged.

You *might* be able to trust the Received header that their mail relay
put in, which could tell you from where they received the email.
Beyond that, they are subject to forgery.

> I don't think that these spambots are bothering to try to forge
> the Received Headers.  Usually the first two Received Headers have
> IP Addresses assigned to the same ISP.
> 
> SPF is not enough.  It does not eliminate the zombie or spambot.

No, but it does fairly well what it is intended to do: eliminate
forgeries.

SPF is *not* an anti-spam tool. It is an anti-forgery tool.

I agree, though, that it should be part of a larger set of tools.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------

RE: [SPAM] Examples of Received Headers

Posted by Jim Hermann - UUN Hostmaster <ho...@uuism.net>.

> On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote:
> 
> > Here are examples of the Received Headers for the type of spam
> > that are being sent with forged email addresses for a domain that
> > I host.
> 
> The Received headers in spams cannot be trusted, except for the
> Received headers put in by relays run by *you* or someone you trust.
> Received headers are trivially easy to forge and cary very little
> useful information in spams.

These are Received Headers provided by the ISP that sent me the bounce
message, not because of spam, but because the recipient did not exist.  They
put the Original Spam Full Headers in the message that they sent to me.

If I can trust that my server identified the last server and the last server
was the recipient server, then I think I can trust that they sent me the
Full Headers as they received them.  Yes, I know that the prior Received
Headers could be forged.

I don't think that these spambots are bothering to try to forge the Received
Headers.  Usually the first two Received Headers have IP Addresses assigned
to the same ISP.

SPF is not enough.  It does not eliminate the zombie or spambot.

Jim

Re: [SPAM] Examples of Received Headers

Posted by "John D. Hardin" <jh...@impsec.org>.

On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote:

> Here are examples of the Received Headers for the type of spam
> that are being sent with forged email addresses for a domain that
> I host.

The Received headers in spams cannot be trusted, except for the
Received headers put in by relays run by *you* or someone you trust.
Received headers are trivially easy to forge and cary very little
useful information in spams.

> These at the last 10 bounced messages that I received, so it is
> fairly representative.

It's not clear from your description whether these Received headers
are from the spams or from the bounces.

> I send complaints to the abuse email address listed in the WHOIS
> record for this IP Address.

As I said above, you can't trust a Received header unless your server
put it there.

If you are responding to the earliest Received header in a spam, then
you are at best wasting your time, at worst confirming the validity of
your email address.

> Do you think that these are victims of some sort that their ISP
> would want to help?

You need to contact the ISP that sent you the bounce message, NOT the
ISP that sent the spam. The ISP that the spammer targeted is the one
you want to talk into implementing SPF checks.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Apparently the Bush/Rove idea of being a "fiscal conservative" is
  to spend money like there's no tomorrow, run up huge deficits, and
  pray the Rapture happens before the bills come due.
                                       -- atul666 in Y! SCOX forum
-----------------------------------------------------------------------