<div dir="ltr">The hostname is usually what the remote server sent in its HELO? There's often no reverse DNS being done for this part of the logs. And then the part in brackets is the actual IP address which connected to the daemon.<div><br></div><div>i.e.:</div><div><div>Damiens-MacBook-Pro:~ damien$ telnet <a href="http://echelon.pinegap.net">echelon.pinegap.net</a> 25</div><div>Trying 103.235.52.51...</div><div>Connected to <a href="http://echelon.pinegap.net">echelon.pinegap.net</a>.</div><div>Escape character is '^]'.</div><div>220 <a href="http://echelon.pinegap.net">echelon.pinegap.net</a> ESMTP Sendmail 8.14.4/8.14.4/Debian-4; Wed, 7 Oct 2015 09:46:10 +1100; (No UCE/UBE) logging access from: [27.50.95.2](FAIL)-[27.50.95.2]</div><div>HELO elite.hacker.roflcopter</div><div>250 <a href="http://echelon.pinegap.net">echelon.pinegap.net</a> Hello [27.50.95.2], pleased to meet you</div><div>MAIL FROM:<<a href="mailto:damien.gardner@serversaustralia.com.au">damien.gardner@serversaustralia.com.au</a>></div><div>250 2.1.0 <<a href="mailto:damien.gardner@serversaustralia.com.au">damien.gardner@serversaustralia.com.au</a>>... Sender ok</div><div>RCPT TO:<<a href="mailto:damien@echelon.pinegap.net">damien@echelon.pinegap.net</a>></div><div>250 2.1.5 <<a href="mailto:damien@echelon.pinegap.net">damien@echelon.pinegap.net</a>>... Recipient ok</div><div>data</div><div>354 Enter mail, end with "." on a line by itself</div></div><div><br></div><div>Resulted in:</div><div><br></div><div><div>Received: from elite.hacker.roflcopter ([27.50.95.2])</div><div> by <a href="http://echelon.pinegap.net">echelon.pinegap.net</a> (8.14.4/8.14.4/Debian-4) with SMTP id t96MkApR011880</div><div> for <<a href="mailto:damien@echelon.pinegap.net">damien@echelon.pinegap.net</a>>; Wed, 7 Oct 2015 09:46:33 +1100</div></div><div><br></div><div>If you have end users relaying through you you'll usually see their local PC hostname being presented behind the IP of their DSL connection.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 7 October 2015 at 09:35, Ross Wheeler <span dir="ltr"><<a href="mailto:ausnog@rossw.net" target="_blank">ausnog@rossw.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I know spoofed headers have been around (almost) forever, but I had a call from a friend this morning who had received some malware.<br>
<br>
On looking through the headers, I noticed something that I find a little disturbing if I'm interpreting it right:<br>
<br>
<br>
Received: from <a href="http://ali-syd-1.albury.net.au" rel="noreferrer" target="_blank">ali-syd-1.albury.net.au</a> (208.117.108.170) by<br>
<a href="http://BN1BFFO11FD024.mail.protection.outlook.com" rel="noreferrer" target="_blank">BN1BFFO11FD024.mail.protection.outlook.com</a> (10.58.144.87) with Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015 10:43:53 +0000<br>
<br>
I suspect this may be a forged header, because I couldn't connect to 10.58.144.87 (even if <a href="http://BN1BFFO11FD024.mail.protection.outlook.com" rel="noreferrer" target="_blank">BN1BFFO11FD024.mail.protection.outlook.com</a> resolved to a 10.x address) - but I suppose it would be possible the mail server could be behind NAT, and report its own internal IP...<br>
<br>
The thing is, <a href="http://ali-syd-1.albury.net.au" rel="noreferrer" target="_blank">ali-syd-1.albury.net.au</a> is NOT 208.117.108.170<br>
<br>
208.117.108.170 is (currently) showing as another host:<br>
170.108.117.208.in-addr.arpa domain name pointer <a href="http://mail.stridersports.com" rel="noreferrer" target="_blank">mail.stridersports.com</a>.<br>
<br>
Are spammers now getting sufficiently "crafty" to be changing PTR records to assist with the delivery of their spam and malware, or am I just being paranoid?<br>
<br>
(Has anyone else noticed this, or is it something you'd only notice if you were specifically looking for it?)<br>
<br>
R.<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">
<p>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <span><a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br></u></span>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder</p></div></div>
</div>