Some of the newer spamming programs put in fake Received: headers in order to prevent users from finding the first ones. This is rather foolish, as most spammers don’t understand the net and put in wildly bogus values.
Here are a few things that let you know a header has been forged:
- Look for a wrong Eastern Timezone of “-0600 (EST)” (EST is normally -0500, while EDT is -0400) in conjunction with an SMTP id which will always start with “GAA…” This is perhaps the most common Stealth Mailer signature seen (an example of it appears below)
- A new, laughably “repaired” Stealth Mailer has surfaced recently; its signature errors are an SMTP id which always starts with “XAA…” and an Eastern Timezone correction which is even more wrong than before, now listing “-0700 (EDT)”
- Look for a spoofed address in the Received: header. A real Received: header has the address of the recipient as the address (i.e. dmuth@ot.com in the above example). If the address there isn’t yours, it’s a forged header.
- Look for a spoofed SMTP id. A real one generally matches its first letter to the hour of the time the hand-off occurred; e.g., if the time listed in this header is between midnight and 1:00 a.m., its SMTP id should start with “A…”; between 1:00 a.m. and 2:00 a.m. should indicate “B…” and so on.
- Look for IP node numbers of 0 or greater than 254. IP addresses only range from 1 to 254. (0 indicates a network address and 255 is for broadcasting).
- Look for a system named “alt1″, this can be filtered on as I have caught many spams with zero false positives in this manner.
Received: from email4all@aol.com by email4all@aol.com (8.8.5/8.6.5) with
SMTP id GAA02084 for <email4all@aol.com>; Thu, 26 Jun 1997
10:52:37 -0600 (EST)
Received: from lconn.net (alt1.lconn.net(206.25.61.0)) by lconn.net
(8.8.5/8.6.5) with SMTP id GAA06154 for <gpg@lconn.net>; Wed, 25 Jun 1997
23:00:38 -0600 (EST)
No tags