[AusNOG] Disturbing new spam trend?
Andrew Jones
aj at jonesy.com.au
Wed Oct 7 09:58:18 EST 2015
That's probably the default sendmail behaviour. By default, postfix
does what Mark posted and shows both the hostname as sent in the
HELO/EHLO, and the hostname as determined by the reverse DNS lookup,
along with the source IP address seen.
Andrew
On 07.10.2015 09:49, Damien Gardner Jnr wrote:
> The hostname is usually what the remote server sent in its HELO?
> There's often no reverse DNS being done for this part of the logs.
> And then the part in brackets is the actual IP address which
> connected
> to the daemon.
>
> i.e.:
>
> Damiens-MacBook-Pro:~ damien$ telnet echelon.pinegap.net [5] 25
> Trying 103.235.52.51...
> Connected to echelon.pinegap.net [5].
> Escape character is '^]'.
> 220 echelon.pinegap.net [5] ESMTP Sendmail 8.14.4/8.14.4/Debian-4;
> Wed, 7 Oct 2015 09:46:10 +1100; (No UCE/UBE) logging access from:
> [27.50.95.2](FAIL)-[27.50.95.2]
> HELO elite.hacker.roflcopter
> 250 echelon.pinegap.net [5] Hello [27.50.95.2], pleased to meet you
> MAIL FROM:<damien.gardner at serversaustralia.com.au>
> 250 2.1.0 <damien.gardner at serversaustralia.com.au>... Sender ok
> RCPT TO:<damien at echelon.pinegap.net>
> 250 2.1.5 <damien at echelon.pinegap.net>... Recipient ok
> data
> 354 Enter mail, end with "." on a line by itself
>
> Resulted in:
>
> Received: from elite.hacker.roflcopter ([27.50.95.2])
> by echelon.pinegap.net [5] (8.14.4/8.14.4/Debian-4) with SMTP
> id t96MkApR011880
> for <damien at echelon.pinegap.net>; Wed, 7 Oct 2015 09:46:33
> +1100
>
> If you have end users relaying through you you'll usually see their
> local PC hostname being presented behind the IP of their DSL
> connection.
>
> On 7 October 2015 at 09:35, Ross Wheeler <ausnog at rossw.net> wrote:
>
>> I know spoofed headers have been around (almost) forever, but I had
>> a call from a friend this morning who had received some malware.
>>
>> On looking through the headers, I noticed something that I find a
>> little disturbing if I'm interpreting it right:
>>
>> Received: from ali-syd-1.albury.net.au [1] (208.117.108.170) by
>> BN1BFFO11FD024.mail.protection.outlook.com [2] (10.58.144.87) with
>> Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport;
>> Tue, 6 Oct 2015 10:43:53 +0000
>>
>> I suspect this may be a forged header, because I couldn't connect to
>> 10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com [2]
>> resolved to a 10.x address) - but I suppose it would be possible the
>> mail server could be behind NAT, and report its own internal IP...
>>
>> The thing is, ali-syd-1.albury.net.au [1] is NOT 208.117.108.170
>>
>> 208.117.108.170 is (currently) showing as another host:
>> 170.108.117.208.in-addr.arpa domain name pointer
>> mail.stridersports.com [3].
>>
>> Are spammers now getting sufficiently "crafty" to be changing PTR
>> records to assist with the delivery of their spam and malware, or am I
>> just being paranoid?
>>
>> (Has anyone else noticed this, or is it something you'd only notice
>> if you were specifically looking for it?)
>>
>> R.
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog [4]
>
> --
>
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net - http://www.rendrag.net/ [6]
> --
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
>
> Links:
> ------
> [1] http://ali-syd-1.albury.net.au
> [2] http://BN1BFFO11FD024.mail.protection.outlook.com
> [3] http://mail.stridersports.com
> [4] http://lists.ausnog.net/mailman/listinfo/ausnog
> [5] http://echelon.pinegap.net
> [6] http://www.rendrag.net/
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list