How does a spammer hide the destination address?
Jerry Feldman
gaf-mNDKBlG2WHs at public.gmane.org
Wed Oct 13 16:23:41 EDT 2010
Unfortunately I don't have an answer, but there are a couple of clues.
First, centerforgastricbypass.com is legit (as far as it has a web site
and a mailman list, but it is not listed with the BBB). While it does
appear that they do have a mailman list, the list name,
highereducation_centerforgastricbypass.com does not appear to be valid.
But there are a couple of clues. First:
Received: from JSIBUREXCH1.jsi.jc.com ([10.129.8.206]) by
JSIBUREXCH1.jsi.jc.com ([10.129.8.206]) with mapi; Fri, 24 Sep 2010
08:36:14
Second:
(envelope-from <JPOTTER-ZRT4fz0Bk4bg0w+fcA3fQEEOCMrvLtNR at public.gmane.org>)
But neither of those explains how this gets to Kathy:
Received: from mail.phi.elinuxservers.com (mail.phi.elinuxservers.com
[72.34.56.205]) by smtpserver.MYCOMPANY.com (Postfix) with ESMTP id
9B0F9F728
for <kathy-q4gzWf+mIc+ffZTbxLCQjg at public.gmane.org>; Fri, 24 Sep 2010 09:36:47 -0400 (EDT)
I'm wondering if the entire message header itself is forged at jc.com.
On 09/24/2010 10:47 AM, scottmarydavidsam-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org wrote:
> Sorry if this is a bit off topic but you guys and ladies seem to have a=
> thorough understanding of SMTP rules, I'm hoping you can help me learn.=
=2E.
>
> One of our users ("kathy" in the header below) has received about 30
> messages from other people trying to unsubscribe from a mailing list ca=
lled
> centerforgastricbypass.com. This domain has nothing to do with our comp=
any
> and she is in no way associated with that organization. I could block t=
he
> messages at our gateway but I'm curious how this could be happening, th=
ere
> is no indication in the message that it's going to her until you look a=
t the
> header (see below).
>
> I used the Sam Spade email header parser (a VERY cool tool by the way) =
and I
> can see where the suspicious activity begins as well as her address but=
it's
> not clear to me how that can be hidden in the message itself. I know yo=
u can
> hide the sender but I wasn't aware that you can hide the destination
> address. Here's what I'm looking for:
>
> 1) Any ideas on how the destination email address can be hidden so that=
you
> can't see it outside of the header, but it routes properly?
> 2) Suggestions on how to stop this aside from simply blocking the domai=
n?
>
> Thanks in advance.
> Scott
>
> Note, I've replaced the following information in the header:
> The name of my company replaced with MYCOMPANY
> The IP address of my external smtp server replaced with 10.0.0.0
> My server names have been changed to smtpserver, spamscanner and email.=
> Internally, my mail goes from the Internet to "smtpserver" (SuSE linux
> running Postfix, ClamAV and SpamAssassin IP=3D10.0.0.0), then to "spams=
canner"
> (Barracuda Spam Firewall IP=3D10.6.10.2), then to "email" (MS Exchange =
mailbox
> server).
> Sorry for all the obfuscation but I'm the paranoid, cynical one.
>
> ****HEADER START****
> Received: from spamscanner.MYCOMPANY.com (10.6.10.2) by email.MYCOMPANY=
=2Ecom
> (10.6.10.62) with Microsoft SMTP Server id 8.1.375.2; Fri, 24 Sep 2010=
> 09:36:52 -0400
> X-ASG-Debug-ID: 1285335409-0777d7050001-zFyv9T
> Received: from smtpserver.MYCOMPANY.com (smtpserver.MYCOMPANY.com[10.0.=
0.0])
> by spamscanner.MYCOMPANY.com with ESMTP id 1kpAEwhySQxtIYRM for
> <kathy-q4gzWf+mIc+ffZTbxLCQjg at public.gmane.org>; Fri, 24 Sep 2010 09:36:49 -0400 (EDT)
> X-Barracuda-Envelope-From:
> highereducation-bounces-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> X-Barracuda-RBL-Trusted-Forwarder: 10.0.0.0
> X-Virus-Scanned: amavisd-new at MYCOMPANY.com
> Received: from smtpserver.MYCOMPANY.com ([127.0.0.1]) by
> smtpserver.MYCOMPANY.com
> (smtpserver.MYCOMPANY.com [127.0.0.1]) (amavisd-new, port 10024) wi=
th
> ESMTP id
> sS21p+3XsK7X for <kathy-q4gzWf+mIc+ffZTbxLCQjg at public.gmane.org>; Fri, 24 Sep 2010 09:36:49 -=
0400
> (EDT)
> Received: by smtpserver.MYCOMPANY.com (Postfix, from userid 65534) i=
d
> EE558F72B;
> Fri, 24 Sep 2010 09:36:48 -0400 (EDT)
> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
> smtpserver.MYCOMPANY.com
> X-Barracuda-BWL-IP: nil
> X-Barracuda-BBL-IP: nil
> X-Spam-Level:
> X-Spam-Status: No, score=3D0.0 required=3D5.0 tests=3Dnone autolearn=3D=
disabled
> version=3D3.1.8
> Received: from mail.phi.elinuxservers.com (mail.phi.elinuxservers.com
> [72.34.56.205]) by smtpserver.MYCOMPANY.com (Postfix) with ESMTP id=
> 9B0F9F728
> for <kathy-q4gzWf+mIc+ffZTbxLCQjg at public.gmane.org>; Fri, 24 Sep 2010 09:36:47 -0400 (EDT)
> Received: from localhost ([127.0.0.1]:37827 helo=3Dphi.elinuxservers.co=
m)
> by
> phi.elinuxservers.com with esmtp (Exim 4.69) (envelope-from
> <highereducation-bounces-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>) id
> 1Oz8Rz-00046I-AE;
> Fri, 24 Sep 2010 06:36:31 -0700
> X-Barracuda-Apparent-Source-IP: 72.34.56.205
> Received: from [65.55.88.15] (port=3D46782 helo=3DTX2EHSOBE010.bigfish.=
com)
> by
> phi.elinuxservers.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.69)
> (envelope-from <JPOTTER-ZRT4fz0Bk4bg0w+fcA3fQEEOCMrvLtNR at public.gmane.org>) id 1Oz8Rr-00043u-FS =
for
> highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org; Fri, 24 Sep 2010 06:36:=
23
> -0700
> Received: from mail51-tx2-R.bigfish.com (10.9.14.249) by
> TX2EHSOBE010.bigfish.com (10.9.40.30) with Microsoft SMTP Server id=
> 8.1.340.0; Fri, 24 Sep 2010 13:36:22 +0000
> Received: from mail51-tx2 (localhost.localdomain [127.0.0.1]) by
> mail51-tx2-R.bigfish.com (Postfix) with ESMTP id 5D85A13D03B5 fo=
r
> <highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>; Fri, 24 Sep 2010
> 13:36:21 +0000
> (UTC)
> X-SpamScore: -76
> X-BigFish:
> VS-76(zzbb2cK936eK1936M98dN8f9KJ9b49M9371Pf4eM2bm581bkzz1202hzz8275bh82=
75dh8275chz32i54h54h2a8h2a8h61h)
> Received: from mail51-tx2 (localhost.localdomain [127.0.0.1]) by mail51=
-tx2
> (MessageSwitch) id 1285335379651522_30037; Fri, 24 Sep 2010 13:3=
6:19
> +0000
> (UTC)
> Received: from TX2EHSMHS033.bigfish.com (unknown [10.9.14.249]) by
> mail51-tx2.bigfish.com (Postfix) with ESMTP id 91B9510D0052 for
> <highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>; Fri, 24 Sep 2010
> 13:36:19 +0000
> (UTC)
> Received: from JSIBUREXCH1.jsi.jc.com (207.250.41.10) by
> TX2EHSMHS033.bigfish.com (10.9.99.133) with Microsoft SMTP Server
> (TLS) id
> 14.0.482.44; Fri, 24 Sep 2010 13:36:16 +0000
> Received: from JSIBUREXCH1.jsi.jc.com ([10.129.8.206]) by
> JSIBUREXCH1.jsi.jc.com ([10.129.8.206]) with mapi; Fri, 24 Sep 2=
010
> 08:36:14
> -0500
> To: "'highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org'"
> <highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>
> Date: Fri, 24 Sep 2010 08:36:13 -0500
> Thread-Topic: re: Unsubscribe Now
> Thread-Index: Actb6trEGrUZnItZR9Sl36TIb6tn0AAAnMVQ
> Message-ID: <
> 4EAA1F65D4BF9643B29D49BA91D1B8B7061EADDD5E-f1fvaT6zodUQnyS5CCKUSE6mMMnipbAr at public.gmane.org>
> References: <
> 690513948.2073089.1285279441770.JavaMail.root-KX4rQBZWipms1RcX6exeh1Wh7bxQi8rY930Pai70D+E at public.gmane.org=
il.comcast.net
> =20
>> =20
> <313936AA-24DE-47BB-B37D-66FB9469D7A6-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
> <
> E5905D514B58C64CA7DCB67880179AA303BD67A1-UVm4moXmuN36JBhQPshQ78yQ5I+1RJ7B9/hku2waqpg at public.gmane.org=
rg>
> <AAA8BFC8-118B-4242-8775-294B870F9578-Wuw85uim5zDR7s880joybQ at public.gmane.org>
> In-Reply-To: <AAA8BFC8-118B-4242-8775-294B870F9578-Wuw85uim5zDR7s880joybQ at public.gmane.org>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach: yes
> X-MS-TNEF-Correlator:
> acceptlanguage: en-US
> MIME-Version: 1.0
> X-Reverse-DNS: pc10.bbcmkids.org
> X-Pass-two: yes
> From: <highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>
> Subject: Re: re: Unsubscribe Now
> X-BeenThere: highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> X-ASG-Orig-Subj: Re: re: Unsubscribe Now
> X-Mailman-Version: 2.1.12.cp3
> Precedence: list
> List-Id: <highereducation_centerforgastricbypass.com.admin.com>
> List-Unsubscribe: <
> http://centerforgastricbypass.com/mailman/options/highereducation_cente=
rforgastricbypass.com
> =20
>> ,
>> =20
> <mailto:highereducation-request-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> ?subject=3Dunsubscribe>
> List-Archive: <
> http://centerforgastricbypass.com/pipermail/highereducation_centerforga=
stricbypass.com
> =20
>> =20
> List-Post: <mailto:highereducation-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>
> List-Help: <mailto:highereducation-request-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> ?subject=3Dhelp>
> List-Subscribe: <
> http://centerforgastricbypass.com/mailman/listinfo/highereducation_cent=
erforgastricbypass.com
> =20
>> ,
>> =20
> <mailto:highereducation-request-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> ?subject=3Dsubscribe>
> Content-Type: multipart/mixed; boundary=3D"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D0532483588=3D=3D"
> Sender: <highereducation-bounces-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org>
> Errors-To: highereducation-bounces-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> X-AntiAbuse: This header was added to track abuse, please include it wi=
th
> any abuse report
> X-AntiAbuse: Primary Hostname - phi.elinuxservers.com
> X-AntiAbuse: Original Domain - MYCOMPANY.com
> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
> X-AntiAbuse: Sender Address Domain - centerforgastricbypass.com
> X-Source:
> X-Source-Args:
> X-Source-Dir:
> X-Barracuda-Connect: smtpserver.MYCOMPANY.com[10.0.0.0]
> X-Barracuda-Start-Time: 1285335409
> X-Barracuda-URL: http://10.6.10.2:8000/cgi-mod/mark.cgi
> X-Virus-Scanned: by bsmtpd at MYCOMPANY.com
> X-Barracuda-Bayes: INNOCENT GLOBAL 0.4922 1.0000 0.0000
> X-Barracuda-Spam-Score: 0.00
> X-Barracuda-Spam-Status: No, SCORE=3D0.00 using global scores of TAG_LE=
VEL=3D3.5
> QUARANTINE_LEVEL=3D1000.0 KILL_LEVEL=3D4.5 tests=3DHTML_MESSAGE, MIME_H=
TML_MOSTLY,
> NO_REAL_NAME
> X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.41758
> Rule breakdown below
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.00 NO_REAL_NAME From: does not include a real name
> 0.00 MIME_HTML_MOSTLY BODY: Multipart message mostly text/htm=
l
> MIME
> 0.00 HTML_MESSAGE BODY: HTML included in message
> Return-Path: highereducation-bounces-+W/nxiUF/q+PG+0iJ8KoT7wmdA9tuvIw0E9HWUfgJXw at public.gmane.org
> ****HEADER END****
> _______________________________________________
> Discuss mailing list
> Discuss-mNDKBlG2WHs at public.gmane.org
> http://lists.blu.org/mailman/listinfo/discuss
>
> =20
--=20
Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
Boston Linux and Unix
PGP key id: 537C5846
PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846
More information about the Discuss
mailing list