Spammers Faking Received Headers (duh)

Recently I was perplexed by the number of spam messages that were getting through my SpamAssassin setup. A coworker forwarded a couple obvious spams the other day and he was wondering too. So I decided to do a little digging. Out of a random sample of spam coming through when I checked, about 85% or more were using a particular tactic trying to bypass filters.

All of them had a faked received header at the “beginning” of the message’s path. The faked header matched up with the faked from address as well. Of course this was not a big shock. I’ve seen faked headers before, but not on this scale and so similar. An unusual number of them were pushing stocks instead of pills, too.

Here is a sample from one message:

Received: from gateway-s.comcast.net (48-139.207-68.elmore.res.rr.com [68.207.139.48])
by <my mail server> (Postfix) with ESMTP id 1C3FF4A009;
Thu, 23 Jun 2005 05:10:38 -0500 (EST)
Received: from earthlink.net
by Annie.earthlink.net (Postfix) with SMTP id 44821
...
From: "Lillian Summers" <rockypeakt@earthlink.net>

Note the repeated use of “earthlink.net” throughout. I have seen many domains used there, including ameritrade.com, bellsouth.net, bigpond.com, adelphia.com, and even some off the wall ones that look random.

They all seem to follow this pattern:

Received: from <fake host> (<real sender hostname> [<real sender IP>])
by <my mail server> ...
Received: from <spoofed domain>
by <random server name>.<spoofed domain> (Postfix) with SMTP id 44821
...
From: "<random name>" <<random userid>@<random domain>>

Some (not all) of the messages that employed this tactic had triggered SpamAssassin’s ALL_TRUSTED test, and was pretty much waved on through. It seems like they were trying to fool with SA’s automatic trust path, often with success. After looking around a bit I followed the advice at http://wiki.apache.org/spamassassin/TrustPath and setup trusted_networks and internal_networks in SpamAssassin.

Now to see if that makes any difference whatsoever… After about 2 days, it doesn’t seem to have had that dramatic of an impact on what SpamAssassin is blocking. Previously it had been blocking upwards of 20% total mail volume, and now it’s at or below 10% on a given day.

Also I’ve seen an overall threefold increase in total mail volume, but my RBL rejection counts have remained steady. I do not use SpamAssassin’s RBL checking, I do that at the MTA level. As a consequence, it can’t verify every hostname in the message, just the last hop before it gets to me.

My next step is to try updating SpamAssassin from 3.0.2 to 3.0.4, and maybe finding another RBL or two, as most of these appeared to come from cable modems.

It could be a big new spammer, a new piece of spamming software, or someone unleashing a large number of compromised PCs. No matter what the cause is, it’s very annoying.

I’ll keep an eye on it, maybe I only saw so many by coincidence, or timing.

The mystery continues…

Comments are closed.