Discussion:
what are these "X-Antiabuse" headers - and are they meaningful/useful?
Neil Taylor
2003-04-30 12:28:36 UTC
Permalink
http://spamcop.net/sc?id=z87203612z016a81ccdb2ab54a51fd8814828245c1z

a number of Spams I have seen of late have had a set of header lines added
to them at some stage, eg

X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - 73.251.166.63
X-AntiAbuse: Originator/Caller UID/GID - [1 7] / [7 2]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2)
Gecko/545.2
X-Originating-Host: [134.96.252.225]; Wed, 30 Apr 2003 07:16:50 +0200
X-Owner: StE
X-Scanner: : exiscan for exim4 (http://duncanthrax.net/exiscan/)
*Lspuf3lzNKVqjmmgV*

what are they? Visiting http://duncanthrax.net/exiscan/ makes it look like
headers from a mail scanner -- is this a sign of a host forwarding mail
regardless, but adding tracing information?

Can it be trusted? Can it be used by SpamCop?
Would spammers simply add their own spoofed headers?
Berny
2003-04-30 12:31:30 UTC
Permalink
Post by Neil Taylor
http://spamcop.net/sc?id=z87203612z016a81ccdb2ab54a51fd8814828245c1z
a number of Spams I have seen of late have had a set of header lines added
to them at some stage, eg
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - 73.251.166.63
X-AntiAbuse: Originator/Caller UID/GID - [1 7] / [7 2]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2)
Gecko/545.2
X-Originating-Host: [134.96.252.225]; Wed, 30 Apr 2003 07:16:50 +0200
X-Owner: StE
X-Scanner: : exiscan for exim4 (http://duncanthrax.net/exiscan/)
*Lspuf3lzNKVqjmmgV*
what are they? Visiting http://duncanthrax.net/exiscan/ makes it look like
headers from a mail scanner -- is this a sign of a host forwarding mail
regardless, but adding tracing information?
Can it be trusted? Can it be used by SpamCop?
No, although it may on occasion really be what it purports to be.
Post by Neil Taylor
Would spammers simply add their own spoofed headers?
Precisely the problem, they could easily do that, and probably would if they
felt it served their purposes.

Berny
Michael Lefevre
2003-04-30 12:52:57 UTC
Permalink
Post by Neil Taylor
http://spamcop.net/sc?id=z87203612z016a81ccdb2ab54a51fd8814828245c1z
a number of Spams I have seen of late have had a set of header lines added
to them at some stage, eg
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - 73.251.166.63
X-AntiAbuse: Originator/Caller UID/GID - [1 7] / [7 2]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2)
Gecko/545.2
X-Originating-Host: [134.96.252.225]; Wed, 30 Apr 2003 07:16:50 +0200
X-Owner: StE
X-Scanner: : exiscan for exim4 (http://duncanthrax.net/exiscan/)
*Lspuf3lzNKVqjmmgV*
what are they? Visiting http://duncanthrax.net/exiscan/ makes it look like
headers from a mail scanner --
those bits are - the x-antiabuse are (quoting a mailing list):
"Inserted by the exim config standard with cpanel, a virtual hosting /
webserver control panel app"
Post by Neil Taylor
is this a sign of a host forwarding mail
regardless, but adding tracing information?
yes
Post by Neil Taylor
Can it be trusted?
if you can be sure that the headers were added by a server that you trust,
then yes, otherwise no.
Post by Neil Taylor
Can it be used by SpamCop?
Would spammers simply add their own spoofed headers?
no, and probably yes if spamcop did use them. Because the headers can't be
trusted always, and spamcop wouldn't know when it could trust them, they
can't be used.
--
Michael
Bill Hepler
2003-05-07 17:39:08 UTC
Permalink
Post by Michael Lefevre
Post by Neil Taylor
http://spamcop.net/sc?id=z87203612z016a81ccdb2ab54a51fd8814828245c1z
a number of Spams I have seen of late have had a set of header lines added
to them at some stage, eg
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - 73.251.166.63
X-AntiAbuse: Originator/Caller UID/GID - [1 7] / [7 2]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2)
Gecko/545.2
X-Originating-Host: [134.96.252.225]; Wed, 30 Apr 2003 07:16:50 +0200
X-Owner: StE
X-Scanner: : exiscan for exim4 (http://duncanthrax.net/exiscan/)
*Lspuf3lzNKVqjmmgV*
what are they? Visiting http://duncanthrax.net/exiscan/ makes it look like
headers from a mail scanner --
"Inserted by the exim config standard with cpanel, a virtual hosting /
webserver control panel app"
Post by Neil Taylor
is this a sign of a host forwarding mail
regardless, but adding tracing information?
yes
Post by Neil Taylor
Can it be trusted?
if you can be sure that the headers were added by a server that you trust,
then yes, otherwise no.
Sorry to jump in a dead thread... Someone discovered an open directory
at http://ralfhost7.com/ and particularly http://ralfhost7.com/bulker/bulkerstorm.zip

Have a look at the discussion...

<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=68o8bvo6i7kdn4vhlk3co904i5h5motjbm%40thor.wirehub.nl&rnum=1&pre
v=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D68o8bvo6i7kdn4vhlk3co904i5h5motjbm%2540thor.wirehub.nl>

Spammy is using those precise headers. They're not to be trusted.
Loading...