How does a spammer hide the destination address?

Jerry Feldman gaf-mNDKBlG2WHs at public.gmane.org
Fri Sep 24 13:04:51 EDT 2010


On 09/24/2010 11:37 AM, Richard Pieri wrote:
> Spammers these days don't hide anything.  They don't need to because th=
eir spam isn't coming from their own systems.  It comes from thousands of=
 "bots", compromised computers, around the world.  That's why you can see=
 thirty copies of the same message, each with unique envelope and headers=
=2E  So, really, it's practically impossible to maintain lists of bad sen=
ding hosts.  There are just too damned many of them out there -- maybe ev=
en some on your own network.
>
> There is a flaw to this type of carpet bombing.  Spambots don't queue a=
nd retry temporary failures.  They can't.  They'd choke themselves if the=
y tried.  Instead, they just drop messages that can't be delivered.  This=
 leads to a technique called greylisting.  In a nutshell, a greylist filt=
er maintains a list of source IPs for incoming SMTP connections.  If a ne=
w IP is detected then the filter generates a 4xx temporary failure code a=
nd then that IP is logged in a database.  Legitimate MTAs will try again.=
  The filter will see the same source IP and let the retry through.  Spam=
bots never retry so the spam never gets delivered.
>
> Greylisting stops between 50% and 90% of the incoming spam that I see. =
 The rest is so obviously spam that even the simplest adaptive filters ca=
n detect and trash it.  More here:
>
> http://en.wikipedia.org/wiki/Greylisting
>
>  =20
Got a question for Richard. I've been trying to help a guy. He sends
email to a military aviation listserv using his own user name (on MSN).
Another email was sent to another military aviation listserv under a
different MSN user name. The contents of both emails are obviously
written by a human not a bot. Both emails have:
Received: from SNT134-DS20 ([65.55.90.201]) by
snt0-omc4-s33.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Sun, 19 Sep 2010 06:41:52 -0700
X-Originating-IP: [aa.bb.cc.dd]
X-Originating-Email: [msn user name]

There are 2 different MSN user names, but from the same IP. That IP
resolves to Comcast, and one of the users sent me a screen shot of his
router with that IP. He also sent me evidence that his system is
infected by the W32/BOBAX worm, which is a remailer worm. So, I know his
computer is compromised, he has a router (with Wireless enabled but with
security enable but I'm not sure the level). Additionally the other user
name is from a guy that passed away a while back so it would appear that
someone created an MSN user name with the deceased user's name. From my
standpoint, the bogus email either came from the real user but was sent
as the bogus user name, or could have been sent by BOBAX (which I think
is unlikely) or could have been sent by someone else who hacked into
this guy's system either through his router or through a hole created by
BOBAX. Also the guy ran a virus check on his wife's computer and it is
compromised too.

--=20
Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
Boston Linux and Unix
PGP key id: 537C5846
PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB  CA3B 4607 4319 537C 5846







More information about the Discuss mailing list