MavEtJu's Distorted View of the World

Worsening spam tactics

Posted on 2005-05-25 10:28:14, modified on 2006-01-09 16:29:23
Tags: Networking, Spam, SMTP, Email

If you think this is bad: ( isn't served by

Received: from ([])
        by with ESMTP
        id <>;
        Tue, 24 May 2005 23:20:49 +0000
message-id: <>

Wait until you see this:

Received: from ( [])
        by (8.13.1/8.13.1) with SMTP id j4N6sWvS003077
        for <>; Mon, 23 May 2005 16:54:47 +1000
Received: from
        by (8.9.3/8.9.3) with ESMTP id PCEIP7onXFNw
        for <>; Mon, 23 May 2005 14:41:04 -0700
Received: from (root@localhost)
        by (8.12.8/8.12.8/Submit) id 1GaCy2wErDj5Ks
        for <>; Mon, 23 May 2005 14:41:04 -0700
Date: Mon, 23 May 2005 14:41:04 -0700
From: Edwin Groothuis <>
Reply-To: Edwin Groothuis <>
Message-ID: <>

What do the headers says?

Why is this worsening? It is because the email actually looks, for the untrained eye and a lot of automatic header-parser programs, like it was coming from

In the first example, everybody who knows a little bit about SMTP headers first checks if is somewhat related to

In the second example, you have two more lines to parse. I admit that the syntax of the second-last line isn't proper (it is missing the hostname/ip address between brackets in the from field), but for the rest looks pretty good.

What is still wrong with it?

Could this have been prevented if would have done SPF checks? Yes. The SPF tests would have failed on every received line with a hostname.

| Share on Facebook | Share on Twitter
Comments: No comments yet
Leave a comment
Back to the main page