UNIX System Administration Handbook - Evi Nemeth [357]
• The host part of the From header should agree with the last Received header.
• The Message-Id header’s domain should match the From header’s domain.
• Check to see if the Received headers show that the message was relayed through an unrelated host.
• Check all listed hosts to be sure they exist in DNS.
Our first example is a message selling a CD of 10,000,000 email addresses for future spammers. The spam CD was interesting—it guaranteed no duplicate addresses and no “poison” addresses (presumably, addresses that automatically submit the sender to one of the black hole lists).
We numbered the lines of the header to facilitate the commentary; the numbers are not really there.
1: From mrktnet77@kayak.msk.ru Thu Nov 4 22:10:48 1999
2: Received: from gaia.es ([195.55.166.66]) by xor.com (8.9.3/8.9.3) with ESMTP
id WAA26343 for 3: From: mrktnet77@kayak.msk.ru 4: Received: from default by gaia.es (8.8.8+Sun/SMI-SVR4) id GAA03907; Fri, 5 Nov 1999 06:31:10 -0100 (Etc/GMT) 5: Date: Fri, 5 Nov 1999 06:31:10 -0100 (Etc/GMT) 6: Received: from login_011556.wgukas.com (mail.wgukas.com [233.214.241.87]) by (8.8.5/8.7.3) with SMTP id XAA01510 for fraklin321@thaxghklo.um.de; Thu, 4 November 1999 00:21:59 -0700 (EDT) 7: To: mrktnet77@kayak.msk.ru 8: Subject: Just Released! Millions CD Vol. 6A 9: Comments: Authenticated Sender is 10:Message-Id: 02202108722648597456@sa_ghklo.um.de /* Several pages of marketeering removed here */ ********************************************************** Do not reply to this message - To be removed from future mailings: mailto:greg1148@usa.net?Subject=Remove ********************************************************** Line 1 was added by /bin/mail during local delivery. The domain msk.ru exists, but host kayak.msk.ru does not. Line 2 is a valid Received line—it’s the only Received line whose accuracy is guaranteed, because it was added by our own host (in this case, xor.com). Line 3 is a From header added by sendmail along the way because the message did not originally have one. Line 4 is a valid Received line from an unsuspecting scapegoat host (gaia.es) running sendmail 8.8, under which relaying is allowed by default (and which Sun shipped that way). Line 6 is a fake Received line. It’s below the Date line and so must have been put there before the first sendmail process got the message. Plus, the format is wrong and 233.214.241.87 has no reverse DNS entry. Line 7, the To line, is bogus. The recipients’ addresses were on the envelope only. Line 9 purports to identify the authenticated sender, which is sometimes a clue to a message’s provenance. This one implies that the sender is from wgukas.com, but that domain does not exist. This line was actually added by a PC mail user agent and so it could well be forged. Line 10 implies that the sending machine was actually sa_ghklo.um.de, but it has the wrong format (missing angle brackets, < >) and so is probably forged. It’s impossible to tell where this message came from. It was relayed through gaia.es, probably without their permission. They are not yet in the maps.vix.com black hole list, but may end up there soon. greg1148 could be the spammer himself, or he could be a user who complained about previous spam. In the latter case, greg1148 assumes the victim role in this message and may receive hundreds or thousands of angry messages from folks asking to be removed from the list. The body of the message required you to call or fax your order to an 800 number. It is typical to have all the information needed to respond to the spammer and buy his product in the actual body of the message. Note that the address on the From line is the same as the address on the To line; both are probably forged. Another piece of spam from this same day offered to make you rich if you faxed them a check for $40 by November 15, after which the price went up to $195. Are faxed copies of a check legal tender? Or are they just interested in obtaining your bank