On 25/02/14 16:08, mick wrote:
{} I think it is fairly clear that what he is seeing is backscatter from undeliverables where a spammer has used his email address as the (spoofed) sender. So far so predictable. However, the email he sent me includes a set of X headers inserted by an anti spam package called "Declude". One of those headers (X-Declude-Sender:) includes one of MY email address. My reading of the declude manual suggests that what should be shown here is HIS address (as the suspected sender).
Can anyone suggests what may be going on here? If a spammer were using my email address as the spoofed sender I would expect to get the bounce message, not him.
I don't know what's going on, but here's a possibility:
AFAIK lots of spam is sent by viruses/Trojans or hijacked computers. It won't be sent by a traditional email system, but directly by some malware. This malware will be send out the spam but with multiple different "from" and "to" addresses inserted into it. Some malware adds fake spam score, anti-virus header messages into the spam in an effort to trick the receiver’s computer into thinking it's not spam, and so getting it seen by more recipients. It could just be that whoever crafted the spam template just got their $from and $to tokens mixed up in the spam template, or just credited you with it in many cases
e.g. (everything like $SOMEVALUE replaced with something else when email sent.)
From: $YOUR_FRIEND [ Mail to $YOUR_FRIENDS_EMAIL_ADD] To: $SOME_POOR_SOD Subject: = Some subject or other... Message-ID: $GENERATE_MESSAGE_ID
Date: $DATE_TIME
X Declude-Sender: $YOUR_EMAIL_ADDRESSS
X Declude-Spoolname: 217461170.eml X Declude-RefID: X Declude-Note: Scanned by Declude $DATE Some more headers...
Message Body...
Just a hunch but it might be right. Whatever the case, you can't trust headers in spam. Many/all of them could be faked.
HTH Steve