[AusNOG] Disturbing new spam trend?
Ross Wheeler
ausnog at rossw.net
Wed Oct 7 09:35:50 EST 2015
I know spoofed headers have been around (almost) forever, but I had a call
from a friend this morning who had received some malware.
On looking through the headers, I noticed something that I find a little
disturbing if I'm interpreting it right:
Received: from ali-syd-1.albury.net.au (208.117.108.170) by
BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87) with Microsoft
SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015
10:43:53 +0000
I suspect this may be a forged header, because I couldn't connect to
10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com resolved
to a 10.x address) - but I suppose it would be possible the mail server
could be behind NAT, and report its own internal IP...
The thing is, ali-syd-1.albury.net.au is NOT 208.117.108.170
208.117.108.170 is (currently) showing as another host:
170.108.117.208.in-addr.arpa domain name pointer mail.stridersports.com.
Are spammers now getting sufficiently "crafty" to be changing PTR records
to assist with the delivery of their spam and malware, or am I just being
paranoid?
(Has anyone else noticed this, or is it something you'd only notice if you
were specifically looking for it?)
R.
More information about the AusNOG
mailing list