Great Circle Associates List-Managers
(August 2004)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Automated attack on list managers?
From: Jim Osborn <jimo @ eskimo . com>
Date: Mon, 23 Aug 2004 11:09:07 -0700
To: list-managers @ greatcircle . com
In-reply-to: <1B55DD9F7F4F3DD0D7060035 @ [192 . 168 . 0 . 18]>
Mail-followup-to: list-managers @ greatcircle . com
References: <a06110408bd4e3a918193 @ [62 . 195 . 90 . 214]> <1B55DD9F7F4F3DD0D7060035 @ [192 . 168 . 0 . 18]>
User-agent: Mutt/1.4i

On Sun, Aug 22, 2004 at  9:31:10AM -0400, Tom Neff wrote:
> The problem with what you are saying is that spoofed virus/worm
> envelopes include fake From: addresses, but (in my experience) not
> spoofed IP addresses.  There is no easy way for the IP address for
> webmail.dzogchen.ru (a/k/a mail.dzogchen.ru, a/k/a
> byak.sinp.msu.ru) to appear in a Received: header of a message
> received at mx1.yandex.ru unless it was actually involved in
> transmitting the message. 

I see a lot of spam with obviously-forged Received: headers.
I don't think you can trust any but the topmost, at least until
the mail enters your domain.  I've found many of these forgeries
to be useful spam discriminators, in fact.

So, it wouldn't surprise me if virii were grabbing IP numbers from
their usual sources and stuffing them into forged Received lines.
An iplookup of the numbers in question would likely not match any
verbiage in the header, but the spam robot probably doesn't care
about accuracy. :)

FWIW,

Jim


References:
Indexed By Date Previous: Re: Automated attack on list managers?
From: Tom Neff <tneff @ grassyhill . net>
Next: strange spam ?
From: lee <davislee @ btinternet . com>
Indexed By Thread Previous: Re: Automated attack on list managers?
From: Tom Neff <tneff @ grassyhill . net>
Next: strange spam ?
From: lee <davislee @ btinternet . com>

Google
 
Search Internet Search www.greatcircle.com