Spoofed Recieved headers

Some of the newer spamming programs put in fake Received: headers in order to prevent users from finding the first ones. This is rather foolish, as most spammers don’t understand the net and put in wildly bogus values.

Here are a few things that let you know a header has been forged:

  • Look for a wrong Eastern Timezone of “-0600 (EST)” (EST is normally -0500, while EDT is -0400) in conjunction with an SMTP id which will always start with “GAA…” This is perhaps the most common Stealth Mailer signature seen (an example of it appears below)

  • A new, laughably “repaired” Stealth Mailer has surfaced recently; its signature errors are an SMTP id which always starts with “XAA…” and an Eastern Timezone correction which is even more wrong than before, now listing “-0700 (EDT)”

  • Look for a spoofed address in the Received: header. A real Received: header has the address of the recipient as the address (i.e. in the above example). If the address there isn’t yours, it’s a forged header.

  • Look for a spoofed SMTP id. A real one generally matches its first letter to the hour of the time the hand-off occurred; e.g., if the time listed in this header is between midnight and 1:00 a.m., its SMTP id should start with “A…”; between 1:00 a.m. and 2:00 a.m. should indicate “B…” and so on.

  • Look for IP node numbers of 0 or greater than 254. IP addresses only range from 1 to 254. (0 indicates a network address and 255 is for broadcasting).

  • Look for a system named “alt1″, this can be filtered on as I have caught many spams with zero false positives in this manner.
A few examples of spoofed headers:

Received: from by (8.8.5/8.6.5) with
SMTP id GAA02084 for <>; Thu, 26 Jun 1997
10:52:37 -0600 (EST)
Received: from ( by
(8.8.5/8.6.5) with SMTP id GAA06154 for <>; Wed, 25 Jun 1997
23:00:38 -0600 (EST)

No tags

Comments are closed.