Re: Spammer Bust

5 Sep 1997

      On Fri, 5 Sep 1997, Phil Howard wrote:
...
One copy of this same spam (but who knows if it is or is not really the
same spammer) I got appeared to be from PSI.  It came from a PSI connection
and used Earthlink as a mail hop.  I complained to abuse@psi.net and they
sent back a reply claiming the mail came from Earthlink.  Well, literally
I did get it from Earthlink, but it originated from PSI's IP address,
unless Earthlink faked the IP (but then why would they leave their own
address on it).
That's why I tend to believe a lot of ISPs ... and more often the BIGGER
ones than the smaller ones ... don't know what is going on.
I had two very similar incidents of PSI not knowing what was going on. 
I've gotten a lot of spam that originated from PSI dialup users but using
Earthlink as a mail relay; for example, this one:

Return-Path: mail.earthlink.net@italy.it.earthlink.net 
Return-Path: <mail.earthlink.net@italy.it.earthlink.net>
Received: from hops.cs.jhu.edu  [this is where I received the mail]
           by blaze.cs.jhu.edu with SMTP; Wed, 9 Apr 1997 04:31:17 GMT
Sender: mail.earthlink.net@italy.it.earthlink.net
Received: from italy.it.earthlink.net (italy-c.it.earthlink.net
[204.250.46.18]) by hops.cs.jhu.edu (8.6.12/8.6.9) with ESMTP id AAA05428 for
<jelson@poincare.cs.jhu.edu>; Wed, 9 Apr 1997 00:31:15 -0400
Received: from LOCALNAME (ip55.rocky-mount.nc.pub-ip.psi.net
[38.30.63.55])
        by italy.it.earthlink.net (8.8.5/8.8.5) with SMTP id MAA14529;
        Tue, 8 Apr 1997 12:15:13 -0700 (PDT)
Message-Id: <199704081915.MAA14529@italy.it.earthlink.net>
Comments: Authenticated sender is <barnhillj@mail.earthlink.net>

In the above case, someone dialed into PSI (ip55.rocky-mount...) and
relayed mail through Earthlink.  I complained to PSInet and they told me
"Sorry, nothing we can do, this is coming from Earthlink."

More recently, though, something much more insidious started to happen:
spammers have started forging Received: lines in the headers to misdirect
attempts at tracing the source of the mail!  Here's one beautiful example
of a spam header I received (my mailhost here was blaze.cs.jhu.edu):

From: mailman@domaol.net
Sender: mailman@domaol.net
To: friend@public.com
Message-ID: <37474743565665.JDL9087@bethere.net>

At first glance, it would appear the above spam originated from
bethere.net.  When I looked more closely, though, I realized that
tracing the Received: lines up from the bottom shows the mail going from
alt2.bethere.net to bethere.net, then suddenly jumping from a dialup in 
PSInet to fs.IConNet.NET.  How did it get from bethere.net to PSInet??

The answer, of course, is that the mail really originated from a PSInet
dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
utter forgery, presuambly added by the spam-mailing software.  In fact,
it's not even a very good forgery, because the supposed IP address of
alt2.bethere.net is invalid (the 2nd octet is 756).

When I [again] wrote to PSInet to complain about spam coming from their
users, I was told I should complain to bethere.net instead -- a domain
that does not even exist!

As a final, even more depressing footnote to this already sad story: a few
days after I saw this new trend of getting spam with forged Received: 
lines, I actually got an advertisement for spamming software that
prominently listed one of its features as being that it could add forged
sendmail-like headers in order to misdirect investigations!  (To add
insult to injury, I received 8 copies of this ad via the wonders of spam.)

-Jeremy

--------------------------------------------------------------------------

NOTE: This message expresses my personal views and should not be taken to
represent the views or policies of the United States Government or NIH.

Jeremy Elson
Division of Computer Research and Technology
National Institutes of Health
Bethesda, MD
Email: jeremy.elson@nih.gov
Phone: (301) 402-0349