Examples of various types of headers

Is it actually "open proxy spam"? Let's check some headers and see.

This is the header from a spam sent through an open proxy.

Received: from C766835-A.cpe.abrn.al.charter.com (C766835-A.cpe.abrn.al.charter.com [68.184.69.253])
        by east1.mail-abuse.org (8.12.0.Beta19/8.12.0.Beta19) with SMTP id h469KE0D067163
        for ; Tue, 6 May 2003 02:20:29 -0700 (PDT)
Message-Id: <200305060920.h469KE0D067163@east1.mail-abuse.org>

The IP address of the open proxy is 68.184.69.253. east1.mail-abuse.org is the mail server that accepted the mail from this open proxy

Received: from piamail.net ([171.116.103.75])
        by kont.ru (8.8.3/8.8.3) with SMTP id 2634
        for ; Tue, 6 May 2003 03:09:59 -0700
Received: from [121.167.49.207] by efko.belgtts.ru via HTTP; Tue, 6 May 2003 03:09:57 -0700

These headers were added by the sender of the spam. They are not true "mail headers" and the IP addresses and hosts mentioned in these headers cannot be trusted as the originating IPs. The only IP address that you can be sure of is the IP address that connects to your mail server.

Because open proxies are not mail servers, they do not have the ability to record any information to be inserted into mail headers, such as the IP address that they received the mail from.

From: "Administrator" 
To: "" 
Subject: Corporate Killer COOL
X-Mailer: The Bat! (v1.61) UNREG / CD5BF9353B3B7091
MIME-Version: 1.0
Date: Tue, 6 May 2003 03:09:52 -0700
X-Md5-Body-Hash: 06b02e3a8d6d0d35de6801841bf6d404
Content-Transfer-Encoding: base64
Content-Type: text/plain;

The reverse DNS checks out, and 68.184.69.253 was tested and found to be an open proxy on port 1182. 68.184.69.253 is the open proxy.

It is also common to see headers that do not have any forged lines in them, and they look very similar to dial-up/direct-to-MX spam samples, with only 1 IP address in the headers (the IP that connected to your mail server). We suggest that you closely examine the IP address you suspect may be an open proxy and determine if it is a dynamically assigned IP address that would be better suited for a MAPS DULSM listing.

This is a good example of spam transmitted via an open proxy, with the forged "Received:from" lines clearly illustrated and commonly found in spam sent via open proxies. This is the *only* kind of spam that should be submitted to the MAPS OPS^SM.

This is the header from a direct-to-MX spam:

>Received: from smtp02.primenet.com (daemon@smtp02.primenet.com [206.165.6.132])
> by primenet.com (8.8.8/8.8.5) with ESMTP id PAA17783;
> Sun, 28 Mar 1999 15:28:55 -0700 (MST)
>From: ooooo6521@eastmail.com
>Received: (from daemon@localhost)
> by smtp02.primenet.com (8.8.8/8.8.8) id PAA28461;
> Sun, 28 Mar 1999 15:28:53 -0700 (MST)

Internal handoffs.

>Message-Id: <199903282228.PAA28461@smtp02.primenet.com>
>Received: from ppp1011.on.bellglobal.com(206.172.224.51), claiming to be 
>"mail.mia.machine"
> via SMTP by smtp02.primenet.com, id smtpd028334; Sun Mar 28 15:28:46 1999

206.172.224.51 connected to the smtp server and sent the email directly to the recipient; there is no open proxy. This is direct-to-MX spam, and this IP is in the MAPS DULSM. If you had been using the DULSM, this mail would have been blocked.

Please make your best effort to distinguish direct-to-MX spam from an open proxy. Do *not* submit this kind of spam to the MAPS OPS.

This is a header for a dialup-to-secure-mailserver spam:

>Return-Path: freetrial@flashmail.com
>Received: from smtp2.mindspring.com ([207.69.200.32] verified) by
>hercules.ultradesign.net (Stalker SMTP Server 1.8b3) with ESMTP id
>S.0000047129 for ; Sun, 16 May 1999 08:23:40 +0100

The spam was sent through Mindspring's mailserver. Mindspring's server is not open to relay, so the sender must be a Mindspring user.

>Received: from TStoerzbach (pool-207-205-235-130.dlls.grid.net
>[207.205.235.130])
> by smtp2.mindspring.com (8.8.5/8.8.5) with SMTP id DAA29517
> for ; Sun, 16 May 1999 03:21:21 -0400 (EDT)

This spammer was connected through a grid.net dialup; Mindspring leases POPs from grid.net.

This kind of spam should not be reported to the MAPS OPS.