[SpamCop-List] Re: SpamCop ignored header in spam - why is this?

[Mike Easter]

Geoffrey Hyde wrote:

>  I wasn't quite sure, as I was fairly sure
> that second line was a standard looking line.

It might be of some value to talk about the first line as a standard
looking line.

Received: from 144235120 ([201.21.217.71]) by imta05ps.mx.bigpond.com
with SMTP id
<20060220223113.YUAV16146.imta05ps.mx.bigpond.com at 144235120> for <x>;
Mon, 20 Feb 2006 22:31:13 +0000

I would characterize that line as being of the configuration:

Received: from helo ([so.ur.ce.ip]) by receiv.ing,server.name with
somestuff for an address, timestamp

which is a very standard configuration.  There is a lot of variability
about what goes into 'somestuff' and whether or not there is a 'for'
field with an address.  But the from field has to contain the source IP
to be compliant, and the 'by' field has to contain the server's name,
and there has to be a proper timestamp, and the line has to be
constructed and folded properly like all of the headerlines.

At the very least the line should say:

Received: from helo ([so.ur.ce.ip]) by receiv.ing,server.name with
somestuff, timestamp

and somestuff can be very brief.

Using a helo of 144235120 strikes me as a very odd an suspicious
behavior, and of itself raises the specter of bogosity, borne out by
what comes next.  That is everything from that helo to the next line
becomes suspicious.  Not good forgery behavior.

The bogus line:

Received: from giftinstitute.com (144237208 [145027128]) by
C915D947.poa.virtua.com.br (Qmailv1) with ESMTP id 7CA43F5C53 for <x>;
Mon, 20 Feb 2006 17:34:01 -0500

... does not contain a source IP of normal dotted quad configuration in
the 'from' field.  The 'by' field is a name which corresponds to the IP
in the 'from' field in the line above, which would [try to] make it look
like a server's behavior, but we unconvered the forgery because the
proxy was known.



-- 
Mike Easter
kibitzer, not SC admin