Re: email header analysis

[Jay Moore <jay_mo@bellsouth.net>]

On Fri, 12 Sep 2003 16:01:06 -0500, you wrote:

>> In some spam I received, I found the following header: 
>> 
>> --------------------------------------
>> Received: from 57-112.hspg-b3.cablelynx.com
>> (57-112.hspg-b3.cablelynx.com [24.204.57.112])
>>         by kingcull.cullmail.com (8.12.9/8.12.9) with SMTP id
>> h8CJvFi2029627;
>>         Fri, 12 Sep 2003 14:57:17 -0500 (CDT)
>> Received: from (HELO yxe5tru) [221.96.194.116]
>>         by 57-112.hspg-b3.cablelynx.com;
>>         Fri, 12 Sep 2003 19:56:12 -0100
>> --------------------------------------
>> 
>> Which is the _real_ spammer? or, are both real spammers, or open
>> relays, or something else I should block? 
>
>The second line looks bogus, but that doesn't matter much. The first one
>is where you got the email from, and it doesn't much matter if you don't
>want email from them because they're spammers, or if you don't want
>email from them because their an open relay. Either option says you
>don't want email from them.

Agreed - I was actually trying to understand why relaydb only takes
the first ip addr, and not the second. 

$ relaydb -b

adds only 24.204.57.112 to my blacklist... and this addr is not in my
whitelist. According to the relaydb man page:

       -n
>       Don't read past the first Received: header.  By default, relaydb will
>       process all Received: headers as long as the previous header contained
>       an address of a host in the whitelist, trusting the previous host to
>       not have inserted a fake Received: header.  This is useful to blacklist
>       senders that send spam through mailing list servers (or other known-
>       good relays), but allows an attacker to first establish a new whitelist
>       entry for a new host, then send spam from the same address, faking fur-
>       ther Received: headers, to cause relaydb to blacklist those addresses,
>       causing a denial of service for these addresses.

Thanks,
Jay