At 20:43 -0700 3/8/03, Vernon Schryver wrote:
> From: Jim Youll <jim(_at_)media(_dot_)mit(_dot_)edu>
> >Consider the common claims about spammers forging headers. When was
>the last time you saw spam supposedly from CERT? Don't you think that
>if spammers were willing to forge headers to get around simple
>whitelists, at least some would use that envelope or header From value?
You mean like this? I have tonnes of these...
From i2secc0i(_at_)hotmail(_dot_)com Wed Mar 5 14:06:40 2003
> Received: from 200.203.76.54 ([200.203.76.54])
by aleve.media.mit.edu (8.9.3/8.9.3/+ALEVE) with SMTP id OAA18641
for (...); Wed, 5 Mar 2003 14:05:44 -0500 (EST)
Date: Wed, 5 Mar 2003 14:05:44 -0500 (EST)
From: "Efrain Franckowiak" <i2secc0i(_at_)hotmail(_dot_)com>
To: "Contact List"
<(_dot_)(_dot_)(_dot_)(_at_)media-lab(_dot_)media(_dot_)mit(_dot_)edu>
Subject: Men, you have science in your corner
Where is cert.org among those headers?
You picked one domain out of an infinity of them... fine, they don't
forget cert.org
any more. They forge all the others. Great. I feel good about
cert.org mail now. But it's
the rest that's making a mess of the incoming traffic.
How do you know that i2secc0i(_at_)hotmail(_dot_)com is forged and not
legitimately
owned by the spammer? Are you sure Efrain Franckowiak is not the name
of the spammer? That 200.203.76.54 is supposedly in Brazil and not
owned by Hotmail does not imply that message has forged headers.
right. But your logic is broken.
If 200.203.76.54 were owned by Hotmail, the message would have come from a
Hotmail server. It didn't. I mean, sure, maybe, Hotmail is also known as
brt-f0-0-0-cslce7003.brasiltelecom.net.br (200.180.192.27)
Forgive me if I have my doubts.
Yes, some spammers have begun or resumed forging sender addresses,
often using addresses from the target list. However, they're still
not doing blatent forging as they were a few years ago.
oh baloney. It's saturday night and I should be out dancing but I have to
answer this message instead... no, there's plenty of forgery.
I'm really not sure what the issue is then, why are we discussing it?
> I see many forged headers. The biggest difference between "now" and
the state of
things, oh, five years ago, is that the MTAs do their own corrections to the
headers within [ ] so we can see where things actually came from. The above
didn't attempt to lie, but I've got plenty that do.
I've also seen plenty of genuine forged headers. However, most
mismatches between SMTP client IP address and sender mail address(es)
are not obvious forgeries, unless you use Hotmail's odd, self-serving
definition of "forgery" which coveres using not using your current
hotel room as your return address while travelling.
So what did I miss? You say there are plenty of forgeries, I say there
are plenty of forgeries, why are we discussing something about
forgeries not being relevant?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg