MavEtJu's Distorted View of the World

Worsening spam tactics

Posted on 2005-05-25 10:28:14, modified on 2006-01-09 16:29:23
Tags: Networking, Spam, SMTP, Email

If you think this is bad: (mavetju.org isn't served by 200.121.183.223)

Received: from mavetju.org ([200.121.183.223])
        by imta02sl.mx.bigpond.com with ESMTP
        id <20050524232049.GTMA2733.imta02sl.mx.bigpond.com@mavetju.org>;
        Tue, 24 May 2005 23:20:49 +0000
message-id: <UHUh4a7dWj6_CpI3ZmfY@mavetju.org>

Wait until you see this:

Return-Path: ryopdx@stjames.net.au
Received: from APlessis-Bouchard-152-1-59-216.w82-121.abo.wanadoo.fr (APlessis-Bouchard-152-1-59-216.w82-121.abo.wanadoo.fr [82.121.170.216])
        by mx1.midcoast.com.au (8.13.1/8.13.1) with SMTP id j4N6sWvS003077
        for <fromms@midcoast.com.au>; Mon, 23 May 2005 16:54:47 +1000
Received: from mail3.barnet.com.au
        by APlessis-Bouchard-152-1-59-216.w82-121.abo.wanadoo.fr (8.9.3/8.9.3) with ESMTP id PCEIP7onXFNw
        for <fromms@midcoast.com.au>; Mon, 23 May 2005 14:41:04 -0700
Received: from (root@localhost)
        by mail3.barnet.com.au (8.12.8/8.12.8/Submit) id 1GaCy2wErDj5Ks
        for <fromms@midcoast.com.au>; Mon, 23 May 2005 14:41:04 -0700
Date: Mon, 23 May 2005 14:41:04 -0700
From: Edwin Groothuis <ryopdx@mavetju.org>
Reply-To: Edwin Groothuis <ryopdx@mavetju.org>
Message-ID: <123898390844.691925904529@mavetju.org>

What do the headers says?

Why is this worsening? It is because the email actually looks, for the untrained eye and a lot of automatic header-parser programs, like it was coming from mail3.barnet.com.au:

In the first example, everybody who knows a little bit about SMTP headers first checks if 200.121.183.223 is somewhat related to 16wardell.com.au.

In the second example, you have two more lines to parse. I admit that the syntax of the second-last line isn't proper (it is missing the hostname/ip address between brackets in the from field), but for the rest looks pretty good.

What is still wrong with it?

Could this have been prevented if mx1.midcoast.com.au would have done SPF checks? Yes. The SPF tests would have failed on every received line with a hostname.

| Share on Facebook | Share on Twitter
Comments: No comments yet
Leave a comment
Back to the main page