Recognizing phish spam from exceedingly RFC compliant mailers

Here is how to tell if you were getting phish spam from a compromised server with an exceedingly RFC complaint mailers: you were getting email from addresses like service@park.funnel.revenuedirect.com.akadns.net.

What was going on is that paypal.us was a CNAME to that hostname. (I say was because paypal.us has since been changed to an A record and an MX to localhost., possibly because they got tired of being forged on phish spam.)

According to the RFCs, when a mailer encounters a domain or host name that is a CNAME, it is supposed to not merely follow the CNAME but rewrite the address itself to use the target of the CNAME instead of the CNAME, including when the CNAME is in the envelope origin address. However, few mailers are this picky and RFC compliant; most will not rewrite a MAIL FROM address to canonicalize a CNAME.

So when a phish spammer compromises a server with a normal mailer and sends out their spam with an envelope address of 'service@paypal.us', it shows up at your mailer (and possibly in your inbox) with that MAIL FROM. However, when they compromise a server with a picky mailer and do the same thing, their spam's origin address gets rewritten on the way through and you get the weird origin addresses.

Sidebar: who isn't that picky and who is

From some quick poking, it seems that neither postfix, qmail nor Microsoft Exchange's SMTP server is quite that picky. The latter case is amusing, because Exchange is one of the few mailers that insists that lines in the SMTP conversation be terminated with both CR and LF; if you send bare LFs, it ignores you.

Both ZMailer and (some) modern versions of Sendmail are that picky.