Steve Atkins wrote:
On Jan 13, 2009, at 6:30 PM, Rich Kulawiec wrote:
On Tue, Jan 13, 2009 at 08:46:39PM -0500, Chris Lewis wrote:
It won't verify, because it's signing the To, I have a copy with a
different To, with the same signature.
Yep, same here. My copy appears to have been deliberately
backscattered
of an Exchange server (dsmail01.deansteel.com) -- unless, of course,
that server's been botted, in which case no backscatter necessary.
Most interesting; do either of you think this is a test run for
something more subtle?
More likely accidental. Creating boilerplates for spamware
by copying headers from a random legitimate message is
nothing new (e.g. TheBat).
I would suggest that this tidbit doesn't get spread beyond your own
filters: they _all_ HELO as list.mediresource.com...
[We've seen over 12,000 different IPs doing it in the past hour or
three. This must be a "newish" template writer. More likely never knew
that such a blatant giveaway would do him harm, as opposed to
forgetting. This will probably be short-lived. But you never know -
I've seen a giveaway like this last for over a year.]
It's entirely normal for bot writers to build templates off of email
samples they've acquired. In this particular case, it might even be
possible to track it back to _who_ actually had the email.
However, as this is the second instance of this (another set of DKIM
forgeries appeared about a week ago) I suspect one particular spammer
_thinks_ the DKIM signatures will improve his deliverability. Whether
he understands that it won't verify OR he presumes (and he may be right)
that just mentioning DKIM in the headers might actually work more often
than not, I'm not going to guess.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg