* A spamware daemon is installed on the dedicated server, to keep the network interface in promiscuous mode
* The daemon determines which IP addresses on the local subnet are not in use. It also determines the addresses of the network routers. One or more unused IP addresses are commandeered for use by the spammer.
* The perp server sends unrequested ARP responses to only the gateway routers, so that the routers never have to ask for a layer-3 to layer-2 association -- it's alway in the ARP cache of the routers. Nobody else sees this traffic in an EtherSwitch fabric, so ARPWATCH and its kin are defeated. Pings and traceroutes also fail with "host unreachable.". The daemon then only has to watch on the NIC, in promiscuous mode, for TCP packets to the hijacked address on port 80, and pass them down the tunnel to the remote Web server.
* Finally, GRE and IPIP tunneling is used to connect the stolen IP addresses to the spammer's real servers hosted elsewhere.
The end result is that the spammer has created a server at an IP address which not even the owners of the network are aware of.
And if one went to http://www.senderbase.org/ and monitored their own IP block, wouldn't the spammer appear there? Or just plain monitoring spikes in outgoing port 25 traffic should alert someone that something is amiss. -Hank