Re: Mysterious Spam

Tech-Archive recommends: Fix windows errors by optimizing your registry

Clever Left wrote:
I have been receiving mail that's usually addressed with parts of names from my contact list. I know that sounds crazy and most spammers try to use common names and do, but we're talking unusual names. I won't mention them, but lets just say it's too close for my comfort.

Another issue is that we usually receive spam claiming to be from us.
Here is a post from spam with our credentials sent to us (I replaced our real domain with the example.com domain):

Microsoft Mail Internet Headers Version 2.0
Received: from Student02 ([202.129.34.126] RDNS failed) by example.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 18 Nov 2008 20:45:31 -0600
X-Originating-IP: [107.32.6.794] <<<<Not our IP
X-Originating-Email: [contact@xxxxxxxxxxx] <<<One of our valid email addresses
X-Sender: contact@xxxxxxxxxxx <<<One of our valid email addresses
Return-Path:<contact@xxxxxxxxxxx> <<<One of our valid email addresses
Received: (qmail 2513 by uid 163); Wed, 19 Nov 2008 09:44:57 +0700
Message-Id: <20081119164457.2515.qmail@Student02>
To: <contact@xxxxxxxxxxx> <<<One of our valid email addresses
Subject: "SPECIAL OFFERS" Order Meds Online.5712eh
From:<contact@xxxxxxxxxxx> <<<One of our valid email addresses
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-OriginalArrivalTime: 19 Nov 2008 02:45:32.0276 (UTC) FILETIME=[E3FD0B40:01C949F0]
Date: 18 Nov 2008 20:45:32 -0600

Why would a spammer do this? If they were pretending to be us, why send it to us? I know we are not the only recipients of this mail because we get mail like this:


That all sounds fairly normal. One or more of your real addresses has been harvested, possibly by a virus running on one of your customer's machines. The addresses picked to forge as Reply-To: and others may be random, or they may be deliberately related to your domain, for reasons Alexander gave.

These days, spammers will not normally send to real addresses, but to deliberately unlikely ones at a real domain, while giving real addresses as From: and Reply-To: headers. The intention is that the email will be rejected and an NDR returned to the 'sender'. As a matter of courtesy, the rejecting server normally includes the full content of the rejected email i.e. the spam, which is then sent from a legitimate mail server to the forged sender.

This process only works where email is accepted by a server which doesn't have access to the real list of domain users e.g. a domain-wide POP3 server. If you were receiving mail directly by SMTP and had recipient verification enabled, your server would simply refuse to complete the transaction for any mail that wasn't properly addressed, the spammer wouldn't even get as far as sending the content, and no NDRs to innocent forged senders would be generated. If the incorrect address was genuinely accidental, a typo or similar, then the *sending* server would generate an NDR saying 'no such recipient' for its client, who hopefully would spot the error. Needless to say, spam software will not be doing that.

Note this header:
> Received: from Student02 ([202.129.34.126] RDNS failed) by example.com
> with Microsoft SMTPSVC(6.0.3790.3959);

If this is the Received: header where a legitimate mail server gets hold of the email, (i.e. usually the top one) then it is the only header which is definitely genuine, and which contains the IP address of the sending server. This is not necessarily where the spam originated, as an intermediate server may have been used as an open relay to disguise the spammer's location. Not that it matters, as the spam will normally be sent by a hijacked home computer. This is what most viruses do these days, there's no money in just wiping somebody's hard drive.

*All* other headers below this may be forged. An email can be sent with no headers at all (you can do this manually, using Telnet), and only the ones added by the legitimate receiving server are valid. 'X-' type headers are non-standard ones (not covered by SMTP RFCs) which can be added by any server, and are often added by spam software to give some kind of extra credibility or misdirection.

Note also that none of the headers necessarily contains the address to which an SMTP email has been sent, which will appear in the transactions of the SMTP server and so in the logs, but does not necessarily ever exist in the email itself. SMTP is not sent to the address referred to in the To: header, that's there for the convenience of email client software.
.

Relevant Pages

  • Re: Spam
    ... I use SpamCop to report those spam messages that get ... through their server, which would eliminate the need for MailWasher. ... >> or "remove" yourself from the spammers' address lists; ...
    (microsoft.public.windowsxp.basics)
  • Re: A interesting way to detect spam based on the proximity of the sender with the receiver
    ... server to check for any other thing like white list, ... reams of spam, tend to keep open only the e-mail port, known as the ... Spammers also tend to have IP ...
    (Security-Basics)
  • Re: Random Email Bounces
    ... of my own registered domains that's currently blissfully free of spam - - ... my own wee server here is pretty busy as is :-) ... mailers used by spammers retry failed delivery attempts. ...
    (microsoft.public.exchange.admin)
  • Re: Can anyone explain Bayesian filtering/calculations?
    ... like all-caps "To", "From", etc. headers. ... like messages inserted by the SMTP ... trying to make it as good as a maintained spam blocker. ... lookups to find the target's mail server, ...
    (comp.programming)
  • Re: Mysterious Spam
    ... Here is a post from spam with our credentials sent to us (I replaced ... Microsoft Mail Internet Headers Version 2.0 ... These days, spammers will not normally send to real addresses, but to ... a legitimate mail server to the forged sender. ...
    (microsoft.public.windows.server.sbs)