[SpamCop-List] Re: Fake NDR contains false headers in "bounced" msg

[John E. Malmberg]

Don Wannit wrote:
> Found in my held mail on SC:
> 
> http://www.spamcop.net/sc?id=z605247903zd22b1637ec0dd24d38a5b7004e39126cz

Unfortuanately more information than is present in the tracker is needed 
to confirm your diagnosis.

> In this forgery, the spammer put in the IP and name of our primary MX.
> The only problem is that that particular machine has been out of service
> for the weekend.  Oops!  Bad timing...

It can take a week for a bounce message to make it back, so it is still 
with in the timing window to be a response to a real message.

> The moral of the story:  spam addresses and related data can go stale.
> Observe the "Best when enjoyed by __" date  :-)
> 
> The real moral of the story:  don't trust the contents of a bouncy-gram.
> It's just as easily faked as the From: address.  More easily, in fact.

There is at least one spammer that was seen generating such fake 
headers.  A few months ago there was a thread on the web thingy, where 
the OEM Software spammers, which are apparently the ones being discussed 
in the thread "Still not parsing correctly."

They were spamming through an open proxy, and putting fake headers below 
it to make it look like the open proxy was an open relay that accepted 
the spam from a real mail server.  The spamcop.net parser was fixed to 
catch this forgery, and that is one of the reasons for the mail hosts.

There is a spamhaus.org reference to that I mentioned in the other thread.

http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18652

   22.222.48.0/24 is listed on the Spamhaus Block List (SBL)

   14-Aug-2004 18:03 GMT | SR14

   holdtiff.com (Malena Management) / ITCT World Trade Company

   Persistently spamming by "forge-attacking" anti-spam activist
   domains in the 'From:' message-envelopes.

-John
wb8tyw at qsl.network
Personal Opinion Only