[time-nuts] 2 (Spoofing)
John Ackermann N8UR
jra at febo.com
Wed Oct 5 12:09:27 UTC 2011
The mailing list system resends messages rather than just relaying them. List messages won't show details of the originating sender path.
On Oct 4, 2011, at 9:51 PM, Chuck Harris <cfharris at erols.com> wrote:
> Hi John,
> I have looked at the "originating" IP's in the headers, and I find
> a curious thing: They are all built and structured differently. Those
> on the messages I send through time-nuts don't have my IP listed as
> originating... or listed at all. The header information I find in the
> messages that come to me is generally showing the path from febo to my
> ISP... febo is listed as the originating IP.
> I think the originating IP header in the spam mail from jeff was added
> there by the spammer... just like they generally add headers that try to
> tell you that the message is whitelisted, approved by spamassasin, and
> not spam, etc..
> -Chuck Harris
> John Ackermann N8UR wrote:
>> See my other message for more details, but the spammers often use a two-step
>> approach: (1) harvest address lists from the web, from compromised machines,
>> etc., and (2) send those addresses, along with the payload, off to the botnets who
>> then send the actual email. That gives legitimate-looking senders along with the
>> volume sending power of the botnet.
>> I think in the past things work as you suggested and probably often still do,
>> Chuck, but if you look at the originating IP on these messages they often are in
>> blocks assigned to countries unlikely to be the home of the victim.
> time-nuts mailing list -- time-nuts at febo.com
> To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
> and follow the instructions there.
More information about the time-nuts