On 17 Nov 2003 11:25 UTC "Barry Murphy" <barry(a)unix.co.nz> wrote:
| I received the same message 8 times to the same address with about
| 2-3 per hour. My spamassasin picked them up but the strange thing was
| they all came from different IP addresses and I couldn't traceroute
| any of them...
You've assumed the handoff between received lines was valid; it wasn't.
The "earlier" received line in each case was totally bogus: there is
now a variety of custom "spamware" that forges a Received: header and
carefully matches the fake details to the reverse DNS of the proxy or
trojan machine that the spammer is actually sending from. That makes it
almost impossible to know that the line is is in fact forged, unless you
spot some little detail that they get wrong ... like (as in some of the
cases that you quoted), the fact that the fake sending IP in the forged
header is in a block that's either unannounced or completely unroutable!
| IP addresses they were sent from:
220.127.116.11 IANA Reserved
18.104.22.168 Assigned but not announced
22.214.171.124 IANA Reserved
126.96.36.199 IANA Reserved
188.8.131.52 Interop Show Network
184.108.40.206 UUNET Internet Africa
| the messages were stopped as they were listed in blacklists.
Blocklist tests are normally done on the most recent Received: line,
as unless that line is OK, previous lines cannot usually be trusted.
| The thing I don't understand is that there was no consistency, all
| the emails from different IP's, all different forged header fields,
| all not tracerouteable and within 30 minutes of each other to an
| address only listed on a new zealand website.
I can traceroute to some of the IPs you listed so it may be that
traceroute packets have been blocked at your gateway. There are
currently very some good reasons why network administrators do that!
Because of the level of filtering, spammers now try to send the same
mail from different proxies/zombies to be sure of getting it through.
Different IPs are in different blocklists, and spammers can't tell
what blocklist your ISP - or that of any other victim - uses. They
can't even tell whether mail gets through at all because many systems
are now configured to drop the mail rather than reject it. I won't
pass comment on that policy, but we all know it happens. Hence to get
better delivery figures, spammers now have to send out multiple copies.
Their systems randomise all the variable factors - fake mail client,
fake origin, fake sender name, random subject line etc, and loads of
random garbage text in the spam body to foil any checksum detection
of bulk mailing.
| Weird, sounds very much like the spam system explained on the list
| not too long ago.
While it may well use that system, multiple proxy/trojan sending boxes
are now becoming a standard spammer-modus-operandi!
Joe Abley <jabley(a)isc.org> replied:
| It seems to be fairly commonplace these days for (a) spam to be
| vectored through widely-distributed sets of open proxies or infected
| windows drones and (b) for unallocated or normally unadvertised space
| to be advertised transiently in order to provide temporary addresses
| to bind SMTP clients to.
(a) is normal, for sure, but (b) - although theoretically trivial to
do - is not yet in common use. Bogus announcements would need to be
visible every place the spammer wanted to send to, and would then be
visible at the route-collectors which report into systems like RIPE's
RIS server and that in turn would allow them to be identified from a
lookup at http://www.ripe.net/ripencc/pub-services/np/ris/index.html
Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/