ietf-asrg
[Top] [All Lists]

Re: [Asrg] Lets Fix Mailing Lists

2003-03-08 20:44:09
From: Jim Youll <jim(_at_)media(_dot_)mit(_dot_)edu>


Consider the common claims about spammers forging headers.  When was
the last time you saw spam supposedly from CERT?  Don't you think that
if spammers were willing to forge headers to get around simple
whitelists, at least some would use that envelope or header From value?

You mean like this? I have tonnes of these...

 From i2secc0i(_at_)hotmail(_dot_)com  Wed Mar  5 14:06:40 2003
Received: from 200.203.76.54 ([200.203.76.54])
         by aleve.media.mit.edu (8.9.3/8.9.3/+ALEVE) with SMTP id OAA18641
         for (...); Wed, 5 Mar 2003 14:05:44 -0500 (EST)
Date: Wed, 5 Mar 2003 14:05:44 -0500 (EST)
From: "Efrain Franckowiak" <i2secc0i(_at_)hotmail(_dot_)com>
To: "Contact List" 
<(_dot_)(_dot_)(_dot_)(_at_)media-lab(_dot_)media(_dot_)mit(_dot_)edu>
Subject: Men, you have science in your corner

Where is cert.org among those headers? 

How do you know that i2secc0i(_at_)hotmail(_dot_)com is forged and not 
legitimately
owned by the spammer?  Are you sure Efrain Franckowiak is not the name
of the spammer?  That 200.203.76.54 is supposedly in Brazil and not
owned by Hotmail does not imply that message has forged headers.

Yes, some spammers have begun or resumed forging sender addresses,
often using addresses from the target list.  However, they're still
not doing blatent forging as they were a few years ago.  

I see many forged headers. The biggest difference between "now" and 
the state of
things, oh, five years ago, is that the MTAs do their own corrections to the
headers within [ ] so we can see where things actually came from. The above
didn't attempt to lie, but I've got plenty that do.

I've also seen plenty of genuine forged headers.  However, most
mismatches between SMTP client IP address and sender mail address(es)
are not obvious forgeries, unless you use Hotmail's odd, self-serving
definition of "forgery" which coveres using not using your current
hotel room as your return address while travelling.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg