• OUR SERVICES
• PRICING
• ABOUT US
• SUPPORT
• PARTNERS
• CONTACT

» Your Internet Access » Customer Internet Security » Your Virtual Web Site » All About Email » Spam Resource Page

Open Relay Spam

Consult our Open Relay FAQ if you are unsure what an Open Relay is or why spammers make use of them.

A typical Open Relay Spam looks like:

Return-Path: <erikalee@123india.com>
Received: from HCHINTERNET1.s2.redynet.com.ar (test.hch.com.ar [200.41.250.92])
        by mail.skywaywest.com (8.11.0/8.11.0) with ESMTP id fB7LxVQ07484
        for <postmaster@hr-online.com>; Fri, 7 Dec 2001 13:59:31 -0800
Message-Id: <200112072159.fB7LxVQ07484@mail.skywaywest.com>
Received: from inbound.123india.com.criticalpath.net (A010-1086.SKT3.splitrock.net
+[209.253.228.70]) by HCHINTERNET1.s2.redynet.com.ar with SMTP (Microsoft Exchange
+Internet Mail Service Version 5.5.2650.21)
          id X6QQXDG6; Fri, 7 Dec 2001 14:15:18 -0300
To: <cash@mail.skywaywest.com>
From: erikalee@123india.com
Subject: I just got a great job.
Date: Fri, 07 Dec 2001 09:06:02 -2000
MIME-Version: 1.0
Content-Type: text/html;
            charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Reply-To: erikalee@123india.com
Status: O
Content-Length: 1744
Lines: 38
					      
[-- text/html is unsupported (use 'v' to view this part) --]
[body snipped]
    

To start with reading this Spam, we look at the Received: headers, starting at the top. As you learned in How Internet E-mail Systems send E-mail, each server that handles E-mail adds a Received: header at the top of the message. Working downwards in the message, we can backtrace the message.

The top Received: header was added by our mail server, in this case mail.skywaywest.com. This header tells us that we received the message from a server at the TCP/IP address 200.41.250.92. This server has a reverse DNS name of test.hch.com.ar, and called itself HCHINTERNET1.s2.redynet.com.ar when it said HELO to our server.

At this point, we are still not sure what kind of Spam we're looking at. The information provided by the remote server looks fairly legit, though (has reverse DNS, the HELO name is at least similar to the reverse DNS, etc). So we look further.

The next Received: header appears to have been created by a Microsoft Exchange server. Exchange servers are often setup as Open Relays, so we have our first clue regarding what happened. Keep in mind that this Spam could have come from a user on 200.41.250.92 and that the other Received: header could be forged. However, in this case it appears to be real. Spammer rarely forge such believable headers, although it is possible. In any event, this server records that it received the mail from a system at the TCP/IP address 209.253.228.70, with a reverse DNS name of A010-1086.SKT3.splitrock.net, which gave a HELO name of inbound.123india.com.criticalpath.net.

We can now be pretty sure that this is an Open Relay Spam. Through experience we know that splitrock.net runs a dialup modem service using modems leased from Prodigy. The forged HELO information of inbound.123india.com.criticalpath.net is a classic spammer trick. The sending system appears to have no valid relationship with the relaying system. To be positive, we could run an Open Relay Test of the suspected Open Relay.

Most spammers abuse Open Relays using dial-up accounts. These accounts are known as throw-away accounts because the spammers know they will be shut down within a few days. They often use stolen credit cards to pay for the accounts. Chasing the dial-up accounts is sometimes compared to a game of whack-a-mole, since you know the spammer already has a new account setup and ready to go when this one gets terminated.

The sender of this Spam was at 209.253.228.70. They sent the mail to an Open Relay at 200.41.250.92 which forwarded the Spam to us.

We'll learn how to figure out who these belong to, and who to complain to, in later documents, as well as how to protect ourselves from this Spam in the future.

Forged and misleading information in the header:

• The To: header. The original To: header probably just read To: cash. Our mail server appended the local host name to the message when delivering it.
• The From: header. erikalee@123india.com doesn't exist and never did. Or if, they did, they almost certainly did not send this Spam. They may receive many complaints from people who receive it, though. The next message this spammer sends will have a different From: header that will be no more valid or worth filtering on.
• The Message-Id: header. This message arrived without a Message-Id: header. Our mail server helpfully created one, misleadingly making it look as though the message has something to do with mail.skywaywest.com.
• The Date: header. This one looks almost correct, but it could say anything. It has nothing to do with when the message was created or sent.
• The HELO information in the Received: headers. Spammers and intermediate servers can put anything they want. The receiving system trusts what the sending system tells it. The Open Relay probably does think it's name is HCHINTERNET1.s2.redynet.com.ar and that information may be helpful in contacting the Open Relay owner. The Spam sender has nothing to do with criticalpath.net, however.
• The Reverse DNS information. The Reverse DNS info can be helpful but shouldn't be relied on. It is often misconfigured. It can also be falsified by spammers who control their own IP space.
• The Return-Path: header. This header was created by our mail server to record the Envelope Sender of the message. This sender is just as forged as the From: address, with the added bonus that any undeliverable messages sent by the spammer will be sent to this address. When spammers use real people's addresses, their mailboxes can receive thousands or tens of thousands of bounces over a few hours, causing real problems for them and their E-mail provider.

---

Now for another Open Relay Spam. This one's a little bit more interesting and harder to read because of the path it takes and a Received: header forged by the spammer.

Return-Path: <gradus_owen@hotmail.com>
Received: from malaga.cofaran ([195.53.2.30])
        by mail.skywaywest.com (8.11.0/8.11.0) with ESMTP id fAS2TVa14405
        for <postmaster@skywaywest.com>; Tue, 27 Nov 2001 18:29:31 -0800
Received: from londres.cofaran (cfanet.cofaran.es [195.53.2.15]) by malaga.cofaran
+(8.8.8/SCO5) with SMTP id DAA12153; Wed, 28 Nov 2001 03:23:02 GMT
From: gradus_owen@hotmail.com
Received: from 208.187.142.128 by londres.cofaran (InterScan E-Mail VirusWall NT);
+Wed, 28 Nov 2001 03:26:53 +0100 (Hora estándar romance)
Received: (from uudp@lcl|lhost) by in2.|bm.net (8.6.9/8.6.9) id CFF569794 for suppressed; Tuesday, November 28, 2001
Message-ID: <0000583d7234$00005ecf$000063f1@>
To: <Undisclosed.Recipients@malaga.cofaran>
Subject: Now You Can Run A Background and Asset Search!!!
Date: Tue, 27 Nov 2001 16:02:33 -0800
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: gradus_owen@hotmail.com
Status: O
Content-Length: 2262
Lines: 56

[body snipped]
    

As before, we start with the top Received: header, which is created by our mail server. This header tells us that we received the message from a system at 195.53.2.30, with a HELO name of malaga.cofaran. This is not as obviously an Open Relay, both because it has no reverse DNS, and the HELO name is not a valid Internet system name. It is quite possible this is the spammer. We need to run an Open Relay Test of this system to be sure it is an Open Relay. But it's too soon to do that.

The next Received: header was created by the Open Relay. It claims it got the mail from 195.53.2.15, with a Reverse DNS of cfanet.cofaran.es, and a HELO name of londres.cofaran.

The next Received: header is the most interesting. It was created by an Interscan virus scanner. This type of system often creates an Open Relay situation, because it's usually setup to receive mail and forward it to another mail server after scanning. That mail server in turn is often setup to trust all mail coming from the virus scanner. The administrator may not realize the implications of this when setting it up.

For the moment, we assume this header is also real. We do an Open Relay Test of 195.53.2.15, the Interscan system. We wait for a while for our test to come back to us.

When it does, we now know that we have found a multi-hop Open Relay. The Open Relay is at 195.53.2.15, via 195.53.2.30. Multi-hop relays can occur in a few ways. This is one. Another is when a company has an Open Relay which is configured to relay all it's outbound mail to an ISPs mail server for processing.

The next Received: header tells us the Spam was received from 208.187.142.128. The sender of the Spam was at that address.

The final Received: header was forged by the spammer to mislead us. It contains no useful information. As with most spammer forgeries, it's pretty clumsy.

[ Back to Skyway West Knowledge Center ]

[ Back to Spam Resource Page ]

Please send corrections or suggestions for improvements in this page to abuse@skywaywest.com