2007-08-20
Recognizing phish spam from exceedingly RFC compliant mailers
Here is how to tell if you were getting phish spam from a compromised server with an exceedingly RFC complaint mailers: you were getting email from addresses like service@park.funnel.revenuedirect.com.akadns.net.
What was going on is that paypal.us
was a CNAME to that hostname.
(I say was because paypal.us has since been changed to an A record
and an MX to localhost.
, possibly because they got tired of being
forged on phish spam.)
According to the RFCs, when a mailer encounters a domain or host name
that is a CNAME, it is supposed to not merely follow the CNAME but
rewrite the address itself to use the target of the CNAME instead
of the CNAME, including when the CNAME is in the envelope origin
address. However, few mailers are this picky and RFC compliant; most
will not rewrite a MAIL FROM
address to canonicalize a CNAME.
So when a phish spammer compromises a server with a normal mailer and
sends out their spam with an envelope address of 'service@paypal.us',
it shows up at your mailer (and possibly in your inbox) with that MAIL
FROM
. However, when they compromise a server with a picky mailer and do
the same thing, their spam's origin address gets rewritten on the way
through and you get the weird origin addresses.
Sidebar: who isn't that picky and who is
From some quick poking, it seems that neither postfix, qmail nor Microsoft Exchange's SMTP server is quite that picky. The latter case is amusing, because Exchange is one of the few mailers that insists that lines in the SMTP conversation be terminated with both CR and LF; if you send bare LFs, it ignores you.
Both ZMailer and (some) modern versions of Sendmail are that picky.