Guys
This mail could be considered off topic because it relates to email rather than FLOSS, but I value the opinions of list members so perhaps you will indulge me.
A friend of mine insists that he sees spam email from .ru domains whenever he gets an email from me. Naturally I find this claim a little odd so I asked him to send me some details. He sent me the mail below.
I think it is fairly clear that what he is seeing is backscatter from undeliverables where a spammer has used his email address as the (spoofed) sender. So far so predictable. However, the email he sent me includes a set of X headers inserted by an anti spam package called "Declude". One of those headers (X-Declude-Sender:) includes one of MY email address. My reading of the declude manual suggests that what should be shown here is HIS address (as the suspected sender).
Can anyone suggests what may be going on here? If a spammer were using my email address as the spoofed sender I would expect to get the bounce message, not him.
I have obfuscated both my friend's address and mine. I have also removed the "goo.gl" URL in the email because it was obviously hostile. The failed recipient address is the original, as are the IP addresses.
Best
Mick
----------------- email sample -------------------------------
-----Original Message----- From: System Administrator [mailto:System Administrator] Sent: 25 February 2014 09:26 To: my-friend@his-address.com Subject: Delivery Failure
Could not deliver message to the following recipient(s):
Failed Recipient: umnovai@kfker.ru Reason: Remote host said: 530 5.7.1 No such user!
-- The header and top 20 lines of the message follows --
Received: from Unknown (UnknownHost [112.241.213.245]) by mail.delawarewebs.com with SMTP; Tue, 25 Feb 2014 04:23:48 -0500 Message-ID: 8B4E322C08AD471651D1FEEAD2G1D34S@ogunb
Subject: =?windows-1251?B?7+4g8ODh7vLl?= Date: Tue, 25 Feb 2014 13:22:22 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0528_01CF322C.9D8C9660" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8289.726 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726 X-Declude-Sender: my-address@mydomain.com X-Declude-Spoolname: 217461170.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.13.02 X-Declude-Scan: Outgoing Score [0] at 04:24:02 on 25 Feb 2014 X-Declude-Tests: None X-Country-Chain: X-Declude-Code: 0 X-HELO: Unknown X-Identity: 113.261.243.245 | | rma.ru
------=_NextPart_000_0528_01CF322C.9D8C9660 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable
=C4=EE=E1=F0=FB=E9 =E4=E5=ED=FC!
=D1=EF=E0=F1=E8=E1=EE, =F7=F2=EE =E7=E0=E8=ED=F2=E5=F0=E5=F1=EE=E2=E0=EB=E8= =F1=FC =F1=E8=F1=F2=E5=EC=EE=E9 "=C0=E2=F2=EE=EC=E0=F2=E8=F7=E5=F1=EA=EE=E9= =F2=EE=F0=E3=EE=E2=EB=E8 =E2 =E8=ED=F2=E5=F0=ED=E5=F2=E5" =D1=E8=F1=F2=E5=EC=E0 =EF=EE=EB=ED=EE=F1=F2=FC=FE =E0=E2=F2=EE=EC=E0=F2=E8= =E7=E8=F0=EE=E2=E0=ED=E0 =E8 =E4=EE=F1=F2=F3=EF=ED=E0 =E4=E0=E6=E5 =ED=EE= =E2=E8=F7=EA=E0=EC! =C2 =F1=E2=EE=E5=EC =C1=EB=EE=E3=E5 http://goo.gl/OBFUSCATED =FF =EE=EF=E8=F1= =E0=EB =F1=E8=F1=F2=E5=EC=F3 =E8 =E5=E5 =EF=F0=E5=E8=EC=F3=F9=E5=F1=F2=E2= =E0, =F2=E0=EA-=E6=E5 =EF=F0=E8=E2=E5=EB =E8=ED=F1=F2=F0=F3=EA=F6=E8=FE =EF= =EE =F0=E0=E1=EE=F2=E5 =F1 =F1=E8=F1=F2=E5=EC=EE=E9! =CE=E7=ED=E0=EA=EE=EC=F2=E5=F1=FC =F1 =E8=ED=F1=F2=F0=F3=EA=F6=E8=E5=E9 =E8= =EC=EE=E6=ED=EE =EF=F0=E8=F1=F2=F3=EF=E0=F2=FC =EA =F0=E5=E3=E8=F1=F2=F0=
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 25/02/14 16:08, mick wrote:
{} I think it is fairly clear that what he is seeing is backscatter from undeliverables where a spammer has used his email address as the (spoofed) sender. So far so predictable. However, the email he sent me includes a set of X headers inserted by an anti spam package called "Declude". One of those headers (X-Declude-Sender:) includes one of MY email address. My reading of the declude manual suggests that what should be shown here is HIS address (as the suspected sender).
Can anyone suggests what may be going on here? If a spammer were using my email address as the spoofed sender I would expect to get the bounce message, not him.
I don't know what's going on, but here's a possibility:
AFAIK lots of spam is sent by viruses/Trojans or hijacked computers. It won't be sent by a traditional email system, but directly by some malware. This malware will be send out the spam but with multiple different "from" and "to" addresses inserted into it. Some malware adds fake spam score, anti-virus header messages into the spam in an effort to trick the receiver’s computer into thinking it's not spam, and so getting it seen by more recipients. It could just be that whoever crafted the spam template just got their $from and $to tokens mixed up in the spam template, or just credited you with it in many cases
e.g. (everything like $SOMEVALUE replaced with something else when email sent.)
From: $YOUR_FRIEND [ Mail to $YOUR_FRIENDS_EMAIL_ADD] To: $SOME_POOR_SOD Subject: = Some subject or other... Message-ID: $GENERATE_MESSAGE_ID
Date: $DATE_TIME
X Declude-Sender: $YOUR_EMAIL_ADDRESSS
X Declude-Spoolname: 217461170.eml X Declude-RefID: X Declude-Note: Scanned by Declude $DATE Some more headers...
Message Body...
Just a hunch but it might be right. Whatever the case, you can't trust headers in spam. Many/all of them could be faked.
HTH Steve
On Tue, 25 Feb 2014 22:13:26 +0000 steve-ALUG@hst.me.uk allegedly wrote:
AFAIK lots of spam is sent by viruses/Trojans or hijacked computers. It won't be sent by a traditional email system, but directly by some malware. This malware will be send out the spam but with multiple different "from" and "to" addresses inserted into it. Some malware adds fake spam score, anti-virus header messages into the spam in an effort to trick the receiver’s computer into thinking it's not spam, and so getting it seen by more recipients. It could just be that whoever crafted the spam template just got their $from and $to tokens mixed up in the spam template, or just credited you with it in many cases
Steve
Many thanks.
Yes I know that the bulk of spam is generated by malware on compromised PCs. The reason I use greylisting on my mailserver is that it stops a shed-load of spam coming from such machines (they never come back after the 450 response). And as I said, clearly my friend is getting backscatter from such (undelivered) spam.
But what puzzled me is how /my/ email address should also be involved. I guess that the malware in question resides on a PC which has both mine and my friends email address in the owners address book (not impossible). Then, as you suggest, the malware is simply screwing up somewhere.
Cheers
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
-
mick -
steve-ALUG@hst.me.uk