So I get this e-mail with no subject, but the "From" name is the same as my
daughter. Only, of course, it isn't her. It's somethingtosell5678@aol.com.
Only it isn't that, either, when you look at the headers, it's:
Received: from Azzarmaster (ppp-178.11.triton.net
[216.65.178.11] (may be forged))
Now isn't that clever! triton.net has determined that the header
information *it* received may be forged! It is helpfully warning me that I
may be receiving spam! Really? How would it know? Is this, perhaps, an
open relay? And, if so, why is it open? Why isn't triton.net closing off
this type of abuse?
Well, let's look at the IP address, 216.65.178.11. Good old Samspade.org
can tell us that:
Trying whois -h whois.arin.net 216.65.178.11
Lucre, Inc. (NETBLK-LUCRE)
4011 Plainfield Ave
Grand Rapids, MI 49525
US
[...]
Coordinator:
Hale, Steve (SH1448-ARIN) steve@lucre.net
(616) 361-0128
OK, lucre.net certainly sounds like a domain name that a spammer would pick.
However, the information goes on:
Domain System inverse mapping provided by:
NS1.TRITON.NET 209.172.0.5
So let's be guessing that the header isn't actually forged at all. Perhaps
we are just supposed to give up looking when we see an indication of a
forged header, and not try to find out who actually sent this message. Or,
perhaps triton.net is simply going for plausible deniability: "Spam? Gee,
that's too bad. Bummer that the headers are forged, otherwise we could tell
who sent it."
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [Rob Slade via risks-digest Volume 21, Issue 71]
0:00
#
G!
