[time-nuts] 2 (Spoofing)

Chuck Harris cfharris at erols.com
Tue Oct 4 21:51:18 EDT 2011

Hi John,

I have looked at the "originating" IP's in the headers, and I find
a curious thing:  They are all built and structured differently.  Those
on the messages I send through time-nuts don't have my IP listed as
originating... or listed at all.  The header information I find in the
messages that come to me is generally showing the path from febo to my
ISP...  febo is listed as the originating IP.

I think the originating IP header in the spam mail from jeff was added
there by the spammer... just like they generally add headers that try to
tell you that the message is whitelisted, approved by spamassasin, and
not spam, etc..

-Chuck Harris

John Ackermann N8UR wrote:
> See my other message for more details, but the spammers often use a two-step
> approach:  (1) harvest address lists from the web, from compromised machines,
> etc., and (2) send those addresses, along with the payload, off to the botnets who
> then send the actual email.  That gives legitimate-looking senders along with the
> volume sending power of the botnet.
> I think in the past things work as you suggested and probably often still do,
> Chuck, but if you look at the originating IP on these messages they often are in
> blocks assigned to countries unlikely to be the home of the victim.
> John

More information about the time-nuts mailing list