Mailing List SIMS@mail.stalker.com Message #5716
From: Bill Cole <listbill@scconsult.com>
Subject: Re: How do I pick this apart?
Date: Wed, 5 Apr 2000 21:00:39 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 8:34 PM -0400 4/5/00, stephen warren wrote:
>Hi all,
>I'm still learning about spam filtering using SIMS and don't want to go
>overboard and start blocking everything - for fear of blocking a
>legitimate address. Here is a snippet of the message headers from a
>recent spam. There are several IP blocks in this and I'm not sure how to
>pick the right one(s) for placing in the Spam filter. Any
>help/comments/theories/etc. would be much appreciated!
>Stephen Warren

>
>-- Paste begins---
>Return-Path:
>                 givemeafreepc@drawingsonline.com
>        Received:
>                 from gaea.globaltelecom.co.kr ([210.124.38.2] verified)
>by warrenstudio.com (Stalker SMTP Server
>                 1.8b8) with SMTP id S.0000013775 for
><stephen@warrenstudio.com>; Wed, 05 Apr 2000 19:22:16
>                 -0400

That address (210.124.38.2) would be the only one SIMS could use based on
this spam. This received header is added by SIMS after receipt, and the
only IP address SIMS can use for blocking is the one it knows BEFORE
receipt, i.e. the address of the machine offering the message.

A little more info...


>        Received:
>                 from sefuiosw-2c1lgj (unverified [63.11.186.136]) by
>gaea.globaltelecom.co.kr (EMWAC SMTPRS
>                 0.83) with SMTP id
><B0000008528@gaea.globaltelecom.co.kr>; Thu, 06 Apr 2000 08:17:12 +0900

That looks like a potentially honest Received header added by a broken
mail server being raped by a dialup on the UUNet network. (63.11.186.136
is 1Cust136.tnt2.austin2.tx.da.uu.net) The dialup machine claimed a very
bogus name. A dialup in Texas giving a bogus name to a Korean mail server
looks like classic 'relay-rape' spam.

>        Received:
>                 from login_0246.whynot.net
>(mx.whynot.net[206.217.231.88]) by whynot.net (8.8.5/8.7.3) with SMTP
>                 id XAA08500 for sender422@whynot.net; Wed, 5 April 2000
>06:16:54 -0700 (EDT)

That header is a complete fraud. Besides recognizing the fingerprints of
tone of the most popular pieces of junk spamware, anyone can really tell
the header is a fake based solely on the fact that it doesn't link up with
the header above it.  More conclusively, it has a timezone of '-0700 EDT'
which is inconsistent: EDT is -0400, but -0700 is either PDT or MST. For
the more geeky, the bit that looks like a sendmail binary/config version
identifier is absurd: no one would run 8.8.5. with a 8.7.3 config.

--
Bill Cole

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster