OT: got spam today that fooled Spamcop reporting

Jeff A. Earickson jaearick at COLBY.EDU
Fri Jan 30 13:55:57 GMT 2004 

Gang,
  I got a spam today from 166.90.145.153 that I sent off to
spamcop for reporting.  When I got the response back and went
to the SpamCop link, its software had deduced that *my* mail
server was the spam source, not 166.90.145.153.  I looked at
the mail headers and found:

   From jaearick at colby.edu Fri Jan 30 06:40:02 2004 -0500
   Return-Path: <qsmj at ydrfcp.makeup-site.info>
   Received: from hqbzdctu.makeup-site.info ([166.90.145.153])
       by basalt.colby.edu (8.12.11/8.12.11/1.48') with ESMTP id
   i0UBdtTk029229
       for <jaearick at colby.edu>; Fri, 30 Jan 2004 06:39:56 -0500 (EST)

Ok so far, it agrees with my syslogs.  Then the bogosity begins:

   Resent-Date: Fri, 30 Jan 2004 06:39:55 -0500 (EST)
   Resent-From: qsmj at ydrfcp.makeup-site.info
   Resent-Message-Id: <200401301139.i0UBdtTk029229 at basalt.colby.edu>
   Received: from basalt.colby.edu (137.146.210.56)
     by hqbzdctu.makeup-site.info with SMTP id CLQ8TSZ8TN7; Fri, 30 Jan 2004
   06:30:
   30 -0400
   Received: from nfgwb.makeup-site.info (HELO nfgwb) (172.16.78.185)
     by basalt.colby.edu with SMTP; Fri, 30 Jan 2004 06:30:30 -0400
   Reply-To: <qsmj at ydrfcp.makeup-site.info>
   From: "Elizabeth" <qsmj at ydrfcp.makeup-site.info>

Hmmm.  The bottom-most IP (172.16.78.185) is an IANA reserved number so
Spamcop throws it away.  The next number up is 137.146.210.56, my
mail server, so SpamCop locks onto that and says that my mail server
sent the spam.  Not so.  There is no msgid CLQ8TSZ8TN7 in my syslogs.
In fact it isn't even the right number of characters since my server
runs sendmail 8.12.11.  This header is totally forged.

So, spammers have figured out how to trick SpamCop into having spam
reporters blacklist their own sites.  Ouch.  If you are auto-reporting
spam to SpamCop, beware.

I have reported this to Julian Haight, owner of SpamCop, by email.
Spamcop doesn't have an email address for bug reporting so I had to
send it to him.

Jeff Earickson
Colby College

More information about the MailScanner mailing list