Mailing List SIMS@mail.stalker.com Message #12380
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Can someone help me understand some principles of spamming?
Date: Wed, 15 Jan 2003 21:19:00 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 4:46 PM -0600 1/15/03, Chris Wagner  imposed structure on a stream of electrons, yielding:
That said, is there ANY part of the message header that CAN'T be forged?

I mean, here's a couple of examples of offending spam that I still can't figure out why I'm not able to block them out with the router.

Return-Path: <<mailto:owner-frboardpressreleases@PEACH.EASE.LSOFT.COM>owner-frboardpressreleases@PEACH.EASE.LSOFT.COM>

Ick, something HTML-ized your mail...

However, the return-Path header is generally unforgeable, as it is added by SIMS. I'm not sure what SIMS would do with a message that already had one, but if the header is above everything else, the last mail server to handle the mail added it, and so it is as reliable as the machine where you are getting the mail from is.

Delivered-To: <mailto:ccpresident@journey.com>ccpresident@journey.com
Received: from psmtp.com (exprod5mx29.postini.com [64.75.1.184])
 by pop.journey.com (Postfix) with SMTP id 8472414FBA
 for <<mailto:ccpresident@JOURNEY.COM>ccpresident@JOURNEY.COM>; Wed, 8 Jan 2003 12:16:10 -0500 (EST)

That's not SIMS. Nothing SIMS can do would catch this.

This indicates that this mail was delivered to pop.journey.com, which is running Postfix (a fine Unix MTA) and that Postfix  delivered it to a mailbox whose canonical name it deems to be ccpresident@journey.com. The Received header indicates that indeed that was what the sender was aiming the mail at.

Received: from source ([209.119.0.109]) by exprod5mx29.postini.com
([64.75.1.245]) with SMTP;

That server looks like one run by Postini, a spam-filtering service.

It looks like the DNS records for journey.com have changed a few times today, so I suspect that while they currently point mail at pop.journey.com (with 2 MX's, inexplicably...) they might have recently been pointing mail at Postini.

[...]
The rest of those headers look like the usual (unforged) markings of an LSOFT list and I'm a bit surprised that you deem it 'spam' as it appears to be Federal Reserve Board announcements, and LSOFT has a very good record of running only legitimate verified opt-in lists. Are you certain that the owner of ccpresident@journey.com did not subscribe to that list?

At any rate, rejection could be done by routing just the specific address owner-frboardpressreleases@PEACH.EASE.LSOFT.COM to error, or I suppose by routing PEACH.EASE.LSOFT.COM to error, although they run a LOT of legit lists and I'd be careful about doing that. In the end, I am quite sure that there are functioning unsub mechanisms at Lsoft and a serious abuse desk, so this is at least worth a serious spam complaint if you are certain that it really is spam or an unsub if you are not really positive. I know that Lsoft doesn't routinely add addresses to lists carelessly and I doubt that the Fed would do so either.

AND:

Return-Path: <<mailto:iedcnonmemberout-owner@mail.iedconline.org>iedcnonmemberout-owner@mail.iedconline.org>
Delivered-To: <mailto:ccpresident@journey.com>ccpresident@journey.com
Received: from psmtp.com (exprod5mx57.postini.com [64.75.1.237])
 by pop.journey.com (Postfix) with SMTP id 19552143FE
 for <<mailto:ccpresident@journey.com>ccpresident@journey.com>; Mon, 6 Jan 2003 19:00:20 -0500 (EST)
Received: from source ([63.219.66.114]) by exprod5mx57.postini.com ([64.75.1.245]) with SMTP;

That looks very similar, except that I know nothing about 'iedconline.org' beyond the claim in the registration:

Registrant:
Council for Urban Economic Development (IEDCONLINE-DOM)
   1730K Street NW
   Washington, DC 20006
   US

   Domain Name: IEDCONLINE.ORG

Seems like a list that might appeal to someone who also gets the fed's press releases...

Now my router entry look like this:

<*@postini.com> = error
*postini.com = error

I guess my certain lack of experience is frustrating me.

I appreciate your patience.  :^)

I think you need to look a little closer. SIMS didn't touch those messages. Postfix did, and delivered them, on pop.journey.com, which is not currently answering on port 25. (no mail for journey.com tonight...)

Postini doesn't handle any mail that some *RECIPIENT* has not paid them to handle. They are a commercial spam-filtering service that takes over the MX records for a domain (like journey.com) and does a reasonably good job of body-filtering the mail, quarantining anything they see as spam. I had a pure spamtrap for a while on a retail ISP and when it got put behind Postini (by the ISP) they caught nearly everything. Given that the recipient here appears to have been behind Postini when these were delivered and that they were delivered to a POP3 mailbox by a Postfix machine, and that they look on the surface to be serious mailing lists operated by seemingly legitimate non-spamming entities (in my opinion there isn't a better handler of serious mailing lists than Lsoft) this all bears more careful examination totally apart from SIMS.

All that said, the router entries won't do anything to these, even if they were hitting your SIMS server for delivery. The only place to see 'postini.com' is in the reverse DNS of the source IP, and SIMS never looks at that. As it stands, you might reject mail from anyone employed by Postini, but that's a bit pointless.



--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster