Re: [SPAM] Examples of Received Headers

[Graham Murray]

Jim Hermann - UUN Hostmaster [EMAIL PROTECTED] writes:

 SPF is not enough.  It does not eliminate the zombie or spambot.

It is if you set your SPF record to allow your mailer(s) and hard fail
on all others *and* the recipient of the forged email checks against
SPF. The problems come when recipients do not check (and act on) SPF
even when you have defined a 'tight' SPF record.

Re: [SPAM] Examples of Received Headers

[John D. Hardin]

On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote:

 Here are examples of the Received Headers for the type of spam
 that are being sent with forged email addresses for a domain that
 I host.

The Received headers in spams cannot be trusted, except for the
Received headers put in by relays run by *you* or someone you trust.
Received headers are trivially easy to forge and cary very little
useful information in spams.

 These at the last 10 bounced messages that I received, so it is
 fairly representative.

It's not clear from your description whether these Received headers
are from the spams or from the bounces.
 
 I send complaints to the abuse email address listed in the WHOIS
 record for this IP Address.

As I said above, you can't trust a Received header unless your server
put it there.

If you are responding to the earliest Received header in a spam, then
you are at best wasting your time, at worst confirming the validity of
your email address.
 
 Do you think that these are victims of some sort that their ISP
 would want to help?

You need to contact the ISP that sent you the bounce message, NOT the
ISP that sent the spam. The ISP that the spammer targeted is the one
you want to talk into implementing SPF checks.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Apparently the Bush/Rove idea of being a fiscal conservative is
  to spend money like there's no tomorrow, run up huge deficits, and
  pray the Rapture happens before the bills come due.
   -- atul666 in Y! SCOX forum
---

RE: [SPAM] Examples of Received Headers

[Jim Hermann - UUN Hostmaster]

 On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote:
 
  Here are examples of the Received Headers for the type of spam
  that are being sent with forged email addresses for a domain that
  I host.
 
 The Received headers in spams cannot be trusted, except for the
 Received headers put in by relays run by *you* or someone you trust.
 Received headers are trivially easy to forge and cary very little
 useful information in spams.

These are Received Headers provided by the ISP that sent me the bounce
message, not because of spam, but because the recipient did not exist.  They
put the Original Spam Full Headers in the message that they sent to me.

If I can trust that my server identified the last server and the last server
was the recipient server, then I think I can trust that they sent me the
Full Headers as they received them.  Yes, I know that the prior Received
Headers could be forged.

I don't think that these spambots are bothering to try to forge the Received
Headers.  Usually the first two Received Headers have IP Addresses assigned
to the same ISP.

SPF is not enough.  It does not eliminate the zombie or spambot.

Jim