[AusNOG] Disturbing new spam trend?

Damien Gardner Jnr rendrag at rendrag.net
Wed Oct 7 09:49:34 EST 2015 

The hostname is usually what the remote server sent in its HELO?  There's
often no reverse DNS being done for this part of the logs.  And then the
part in brackets is the actual IP address which connected to the daemon.

i.e.:
Damiens-MacBook-Pro:~ damien$ telnet echelon.pinegap.net 25
Trying 103.235.52.51...
Connected to echelon.pinegap.net.
Escape character is '^]'.
220 echelon.pinegap.net ESMTP Sendmail 8.14.4/8.14.4/Debian-4; Wed, 7 Oct
2015 09:46:10 +1100; (No UCE/UBE) logging access from:
[27.50.95.2](FAIL)-[27.50.95.2]
HELO elite.hacker.roflcopter
250 echelon.pinegap.net Hello [27.50.95.2], pleased to meet you
MAIL FROM:<damien.gardner at serversaustralia.com.au>
250 2.1.0 <damien.gardner at serversaustralia.com.au>... Sender ok
RCPT TO:<damien at echelon.pinegap.net>
250 2.1.5 <damien at echelon.pinegap.net>... Recipient ok
data
354 Enter mail, end with "." on a line by itself

Resulted in:

Received: from elite.hacker.roflcopter ([27.50.95.2])
        by echelon.pinegap.net (8.14.4/8.14.4/Debian-4) with SMTP id
t96MkApR011880
        for <damien at echelon.pinegap.net>; Wed, 7 Oct 2015 09:46:33 +1100

If you have end users relaying through you you'll usually see their local
PC hostname being presented behind the IP of their DSL connection.


On 7 October 2015 at 09:35, Ross Wheeler <ausnog at rossw.net> wrote:

>
> I know spoofed headers have been around (almost) forever, but I had a call
> from a friend this morning who had received some malware.
>
> On looking through the headers, I noticed something that I find a little
> disturbing if I'm interpreting it right:
>
>
> Received: from ali-syd-1.albury.net.au (208.117.108.170) by
> BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87) with Microsoft
> SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015
> 10:43:53 +0000
>
> I suspect this may be a forged header, because I couldn't connect to
> 10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com resolved
> to a 10.x address) - but I suppose it would be possible the mail server
> could be behind NAT, and report its own internal IP...
>
> The thing is, ali-syd-1.albury.net.au is NOT 208.117.108.170
>
> 208.117.108.170 is (currently) showing as another host:
> 170.108.117.208.in-addr.arpa domain name pointer mail.stridersports.com.
>
> Are spammers now getting sufficiently "crafty" to be changing PTR records
> to assist with the delivery of their spam and malware, or am I just being
> paranoid?
>
> (Has anyone else noticed this, or is it something you'd only notice if you
> were specifically looking for it?)
>
> R.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>



-- 

Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag at rendrag.net -  http://www.rendrag.net/
--
We rode on the winds of the rising storm,
 We ran to the sounds of thunder.
We danced among the lightning bolts,
 and tore the world asunder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151007/392aaa8a/attachment.html>

More information about the AusNOG mailing list