Date: Fri, 02 May 1997 23:09:33 -0500 From: "Jeffrey J. Mountin" <sysop@mixcom.com> To: scott@statsci.com Cc: questions@FreeBSD.ORG Subject: Re: COME SEE THE HOTTEST scam spam on the net!!! Message-ID: <3.0.32.19970502230932.00bd1eec@mixcom.com>
next in thread | raw e-mail | index | archive | help
At 01:08 PM 5/2/97 -0700, Scott Blachowicz wrote:
>Actually, it would vary depending on who you can trust...
Yes, but....
>> Received: by mixcom.mixcom.com (8.6.12/2.2)
>> id PAA14271; Sun, 27 Apr 1997 15:26:51 -0500
>> Received: from ns3.harborcom.net(206.158.4.7) by mixcom.mixcom.com via smap
>> (V1.3)
>> id sma014261; Sun Apr 27 20:26:41 1997
>>
>> (everything after this can be pure BS)
>
>But, if (in this case) you did a 'dig -x 206.158.4.7' to verify that it
>is, in fact, harborcom.net and you trust the administration of
>harborcom.net to be reliable, then you could, presumably, trust the next
>Received: header:
Nope!
>> Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18])
>> by ns3.harborcom.net (8.8.5/8.8.4) with ESMTP
>> id QAA10827; Sun, 27 Apr 1997 16:25:47 -0400 (EDT)
>
>...and so forth...
>
>Right?
Ok, in most cases you could, but the following is a better example that I
have seen and I added some lines, which is what it would look like before
sendmail does it's thing, but after the SMTP part of the converstion.
FROM noreply@click.to.be.removed + (these 2 I added)
RCPT invalid@mixcom.com +
Return-Path: <noreply@click.to.be.removed>
Received: by mixcom.mixcom.com (8.6.12/2.2)
id VAA26594; Sat, 5 Apr 1997 21:40:03 -0600
From: <noreply@click.to.be.removed>
Received: from emin39.mx.aol.com(198.81.11.75) by mixcom.mixcom.com via
smap (V1.3)
id sma026561; Sun Apr 6 03:39:37 1997
The received above this is added by the local server up to the RCPT, but
below this it is part of the "body" in the envelope and is the DATA part of
the SMTP conversation.
BODY (added)
Received: from d.mx.aol.com (Cust34.Max8.Denver.CO.MS.UU.NET [153.35.206.162])
by emin39.mail.aol.com (8.8.5/8.8.5/AOL-2.0.0)
with SMTP id WAA22837;
Sat, 5 Apr 1997 22:36:21 -0500 (EST)
(This would most likely be real, but I could forge this easily enough)
(hmmm... the following must be someone with IPv6 ;)
Received: from mailhost.feefifofofe.com (alt1.feefife.com (297.3.2.33)) by
feefifofofe.com (8.8.5/8.6.5) with SMTP id GAA02878 for
<noreply@feefifofe.com>; Sat, 05 Apr 1997 20:19:49 -0600 (EST)
To: noreply@feefifofe.com
Message-ID: <546512849975.kss06426@feefifofofe.com>
Date: Sat, 05 Apr 97 20:19:49 EST
Subject: NEW SONIC STEALTH MAILER! 250,000 PER HOUR! LIMITED QUANITY!
Reply-To: noreply@click.to.be.removed
X-PMFLAGS: 128 0
X-UIDL: 854df41ger14tg156sdfg12hjkl45621
Comments: Authenticated sender is <hello@feefifofofe.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=unknown-8bit
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by emin39.mail.aol.com
id WAA22837
(This blank line starts the body of the message)
FIND OUT WHAT ALL THE TALK IS ABOUT...
Introducing.... >>>>>>>>>>> "STEALTH MASS MAILER"
--snip--
If you know how to send mail by telnetting to the port, then you know why
you can't trust the headers for junk mail.
Here is one I just did for myself and I used one forged "Received" line:
Received: by mixcom.mixcom.com (8.6.12/2.2)
id WAA17129; Fri, 2 May 1997 22:45:21 -0500
Message-Id: <199705030345.WAA17129@mixcom.mixcom.com>
From: <testy@mixcom.com>
Received: from ww4.mixcom.com(198.137.186.94) by mixcom.mixcom.com via smap
(V1.3)
id sma016136; Fri May 2 22:37:28 1997
Above is what the local server added, below is what I spoofed.
Received: from mailhost.feefifofofe.com (alt1.feefife.com (297.3.2.33)) by
feefifofofe.com (8.8.5/8.6.5) with SMTP id GAA02878 for
<nobother@feefifofe.com>; Fri, 02 Apr 1997 18:00:00 -0500 (CDT)
To: nobother@feefifofe.com
Date: Fri, 02 Apr 97 17:55:00 CDT
Subject: This is junk
Reply-To: null@not.valid
X-UIDL: c8ce99fca05388eeabc668dab754bdfb
Yes, you too can send junk mail.....
Not!
--end--
I'd trust one of our servers, but there is no way in hell that it could
have received this message from that server, especially with port 25
blocked at the routers/NAS.
For junk mail is is best to pass back a message to the last "certain"
system if you want to mention that they are being exploited and there is
only one that you can be absolutely certain about.
-------------------------------------------
Jeff Mountin - System/Network Administrator
jeff@mixcom.net
MIX Communications
Serving the Internet since 1990
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970502230932.00bd1eec>