On 17 Nov 2003 11:25 UTC "Barry Murphy" wrote: | I received the same message 8 times to the same address with about | 2-3 per hour. My spamassasin picked them up but the strange thing was | they all came from different IP addresses and I couldn't traceroute | any of them... You've assumed the handoff between received lines was valid; it wasn't. The "earlier" received line in each case was totally bogus: there is now a variety of custom "spamware" that forges a Received: header and carefully matches the fake details to the reverse DNS of the proxy or trojan machine that the spammer is actually sending from. That makes it almost impossible to know that the line is is in fact forged, unless you spot some little detail that they get wrong ... like (as in some of the cases that you quoted), the fact that the fake sending IP in the forged header is in a block that's either unannounced or completely unroutable! | IP addresses they were sent from: 99.27.67.200 IANA Reserved 202.163.151.24 Assigned but not announced 89.87.209.213 IANA Reserved 112.188.234.68 IANA Reserved 45.38.78.200 Interop Show Network 244.128.164.67 Unroutable 168.80.80.67 UUNET Internet Africa 64.215.105.194 64.215.105.194 | the messages were stopped as they were listed in blacklists. Blocklist tests are normally done on the most recent Received: line, as unless that line is OK, previous lines cannot usually be trusted. | The thing I don't understand is that there was no consistency, all | the emails from different IP's, all different forged header fields, | all not tracerouteable and within 30 minutes of each other to an | address only listed on a new zealand website. I can traceroute to some of the IPs you listed so it may be that traceroute packets have been blocked at your gateway. There are currently very some good reasons why network administrators do that! Because of the level of filtering, spammers now try to send the same mail from different proxies/zombies to be sure of getting it through. Different IPs are in different blocklists, and spammers can't tell what blocklist your ISP - or that of any other victim - uses. They can't even tell whether mail gets through at all because many systems are now configured to drop the mail rather than reject it. I won't pass comment on that policy, but we all know it happens. Hence to get better delivery figures, spammers now have to send out multiple copies. Their systems randomise all the variable factors - fake mail client, fake origin, fake sender name, random subject line etc, and loads of random garbage text in the spam body to foil any checksum detection of bulk mailing. | Weird, sounds very much like the spam system explained on the list | not too long ago. While it may well use that system, multiple proxy/trojan sending boxes are now becoming a standard spammer-modus-operandi! Joe Abley replied: | It seems to be fairly commonplace these days for (a) spam to be | vectored through widely-distributed sets of open proxies or infected | windows drones and (b) for unallocated or normally unadvertised space | to be advertised transiently in order to provide temporary addresses | to bind SMTP clients to. (a) is normal, for sure, but (b) - although theoretically trivial to do - is not yet in common use. Bogus announcements would need to be visible every place the spammer wanted to send to, and would then be visible at the route-collectors which report into systems like RIPE's RIS server and that in turn would allow them to be identified from a lookup at http://www.ripe.net/ripencc/pub-services/np/ris/index.html -- Richard Cox \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/