How does a spammer hide the destination address?

[Richard Pieri]

On Sep 24, 2010, at 1:04 PM, Jerry Feldman wrote:
> 
> router with that IP. He also sent me evidence that his system is
> infected by the W32/BOBAX worm, which is a remailer worm. So, I know his

The way these botnets work, they infect computers, scan every address book they can find, and build up queue lists from that scraped data.  At pre-set times they contact their command and control centers.  These are outbound connections on common ports so no firewall hacking required.  The C&C servers collect the address lists then give the bots some marching orders. The clever bots will sometimes pick up chunks of legitimate mail in an attempt to obfuscate their payload.

What I suspect happened is that the compromised machine took the outgoing message and used it as camouflage for the payload included as an attachment.  The mailing list manager stripped out that attachment before echoing the message out to the list members.  What you see at the end is the same message that appears to have been sent by two different people.  I make several assumptions in this.  I cannot be sure about what really happened without access to the genuine original messages.

--Rich P.