[Mimedefang] Faked Received + Old Lists
How OLD are the lists spammers use? The stock spam below was sent to [EMAIL PROTECTED] cu20b was retired in 1987! The lower Received header is faked. columbia.edu resolves to external-smtp-multi-vif.cc.columbia.edu, but that's a virtual interface, not a host. No Received would ever have "by external..." in it. This is a variation on the recently described Received forgery. We have been checking already for "by columbia.edu" in Received, and I will add this variation today. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology Forwarded Message . . . Received: from ppp25-145.adsl.forthnet.gr (ppp25-145.adsl.forthnet.gr [212.251.108.145]) by longan.cc.columbia.edu (8.13.7/8.13.6) with SMTP id kAS8pfii018311 for <[EMAIL PROTECTED]>; Tue, 28 Nov 2006 03:51:49 -0500 (EST) X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from [212.251.108.145] (port=40748 helo=ppp25-145.adsl.forthnet.gr) by external-smtp-multi-vif.cc.columbia.edu with esmtp id 515070-515070-81 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 10:51:44 +0200 (EET) Message-ID: <[EMAIL PROTECTED]> From: "Misty" <[EMAIL PROTECTED]> To: "Amado" <[EMAIL PROTECTED]> Subject: AggressiveInvestorsAlert Date: Tue, 28 Nov 2006 10:51:44 +0200 (EET) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_001_24F6_01C712CA.6E04A380" . . . BLNM Price Climbs 92% and Volume is up 10,000% In Just Two Days Trading! It's not to late to get in! Company: Bralorne Mining Company Symbol: BLNM.OB Price: $0.31 (+92% in 2 days) 5 Day Target: $1.15 -- End Forwarded Message -- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Faked Received + Old Lists
> -Original Message- > From: Joseph Brennan > The lower Received header is faked. columbia.edu resolves to > external-smtp-multi-vif.cc.columbia.edu, but that's a virtual > interface, not a host. > > Received: from [212.251.108.145] (port=40748 > > helo=ppp25-145.adsl.forthnet.gr) > > by external-smtp-multi-vif.cc.columbia.edu with esmtp > > id 515070-515070-81 for [EMAIL PROTECTED]; > > Tue, 28 Nov 2006 10:51:44 +0200 (EET) I've been seeing these as well. After a couple of false starts with false positives, here's the rules that seem to be working header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~ /(?http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Faked Received + Old Lists
-Original Message- > From: Damrose, Mark > After a couple of false starts with false positives, here's > the rules that seem to be working > > header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~ > /(? g\)\swith\ > sESMTP)/ > header __ECC_FORGED_SMTPGATE3_RCVD2 Received =~ > /by\ssmtpgate3.elgin.edu\swith\sesmtp/ > meta ECC_FORGED_SMTPGATE3_RCVD __ECC_FORGED_SMTPGATE3_RCVD1 || > __ECC_FORGED_SMTPGATE3_RCVD2 Doh! One more false positive to add... Mail from an internal mail server that passes outbound to a list and comes back. The real sendmail Received header is not exactly the same as the one MD adds. I added a rule that matched the internal host (sorry, not posting the details here) and changed the meta rule to: meta ECC_FORGED_SMTPGATE3_RCVD ( __ECC_FORGED_SMTPGATE3_RCVD1 || __ECC_FORGED_SMTPGATE3_RCVD2 ) && ! __ECC_VALID_EXCHANGE ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Faked Received + Old Lists
> -Original Message-
> From: Joseph Brennan
> The lower Received header is faked. columbia.edu resolves to
> external-smtp-multi-vif.cc.columbia.edu, but that's a virtual
> interface, not a host.
> > Received: from [212.251.108.145] (port=40748
> > helo=ppp25-145.adsl.forthnet.gr)
> > by external-smtp-multi-vif.cc.columbia.edu with esmtp
> > id 515070-515070-81 for [EMAIL PROTECTED];
> > Tue, 28 Nov 2006 10:51:44 +0200 (EET)
Here's a more generic test for the same header. Not all of
the forged headers attempt look like they relayed through
you. About 1 in 20 are just random.
header __ECC_VALID_EXIM Received =~
/with\s(?i:[ea]?smtpa?|local)\s\(Exim(?:\s\d\.\d\d)?\)/
header __ECC_PORT_HELO Received =~ /\(port=\d{3,5}\shelo=[\d\w\.-]+\)/
header __ECC_BAD_EET Received =~ /(?http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
