Re: SPAM

Chris Stassen (chris@Stassen.COM)
Sat, 18 Jul 1998 10:50:52 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter Novak: "need info on signing off"
Previous message: James Mahaffy: "messages from mass mailers and not subscribers."
Maybe in reply to: Jan de Koning: "SPAM"

Jan De Koning wrote:
> Please, do not accept any letters from whynot.net. They can apparently =
> not control their members.

"WHYNOT.NET" is a common forgery in "Received:" lines. The domain
does not exist. (The "Received:" lines above that forged one
indicate the spam's actual source.) The "Received:" lines starting
from the bottom-most one mentioning ASA's server are read top-down:

] Received: from mail-relay.ubc.ca (mail-relay.ubc.ca [137.82.1.2])
] by ursa.calvin.edu (8.8.7/8.8.7) with ESMTP id OAA14122
] for <asa@calvin.edu>; Tue, 14 Jul 1998 14:52:31 -0400 (EDT)

ASA got it from MAIL-RELAY.UBC.CA.

] Received: from english.ubc.ca (english.ubc.ca [137.82.21.1])
] by mail-relay.ubc.ca [137.82.1.2] (8.8.8/8.8.8) with ESMTP id LAA06005;
] Tue, 14 Jul 1998 11:48:00 -0700 (PDT)

MAIL-RELAY.UBC.CA got it from ENGLISH.UBC.CA

] Received: from UBC_ENGLISH/SpoolDir by english.ubc.ca (Mercury 1.31);
] 14 Jul 98 11:45:13 +1100
] Received: from SpoolDir by UBC_ENGLISH (Mercury 1.31);
] 13 Jul 98 20:42:11 +1100

Two internal mailer hand-offs within ENGLISH.UBC.CA.

] Received: from sat1 by english.ubc.ca (Mercury 1.31);
] 13 Jul 98 20:41:43 +1100

"sat1" is neither a fully qualified domain name, nor is it an IP
address, nor does it look like an internal hand-off. ENGLISH.UBC.CA
isn't configured to tell us where it got the mail from, and that is
why the spammer used it to relay the E-mail (to hide his actual ISP
so he won't get kicked off). Every "Received:" line below this point
cannot be trusted and is almost certainly forged.

Complain to "postmaster@english.ubc.ca" or "postmaster@ubc.ca"
(ubc.ca is the University of British Columbia), and tell them to
fix their mailer so that (1) it reports IP addresses of connections
(so we could tell where the spammer was operating from), and (2) it
doesn't relay (so that the spammer couldn't have reflected the spam
off of it anyway).

] Received: from login_0246.whynot.net (mx.whynot.net[206.212.231.88])
] by whynot.net (8.8.5/8.7.3) with SMTP id XAA02934 for
] sender422@whynot.net; Mon, 13 July 1998 19:47:35 -0700 (EDT)

Forged. Cues: "mx.whynot.net" is advertised as the inverse-lookup
of 206.212.231.88, but that domain does not exist (and that IP
address doesn't have reverse DNS). EDT is not seven hours behind
(-0700) GMT.

Also seen within the spam:
] <A HREF="mailto:getasite@usa.net">

Also complain to USA.NET (abuse@usa.net) and tell them to terminate
the account that the spammer is using to collect replies.

-- Chris (chris@stassen.com)

Next message: Peter Novak: "need info on signing off"
Previous message: James Mahaffy: "messages from mass mailers and not subscribers."
Maybe in reply to: Jan de Koning: "SPAM"