[AusNOG] Disturbing new spam trend?

Mark Foster blakjak at blakjak.net
Wed Oct 7 09:49:15 EST 2015


The hostname next to the bracketed IP address, is often the hostname 
given during HELO/EHLO and has no relationship to DNS at all.

Expanding the headers of your very email:

Received: from ali-syd-1.albury.net.au[1] (ali-syd-1.albury.net.au[2] [202.3.36.15][3])
  by mail.albury.net.au (8.13.6/8.13.6) with ESMTP id t96MZoKR066125
  for <ausnog at ausnog.net>; Wed, 7 Oct 2015 09:35:52 +1100 (EST)
  (envelope-from ausnog at rossw.net)

[1] is HELO/EHLO
[2] is DNS Hostname
[3] is IP address

If you went back and traced the SMTP transaction I would hope that'd be what you would see.
I havn't been primarily focused on email for a couple of years now but that was always my recollection...

So the mailserver is re-using the HELO/EHLO that it received from an earlier transaction? That does seem like odd behavior, but it's not DNS spoofing.

Mark.



On 7/10/2015 11:35 a.m., Ross Wheeler wrote:
>
> I know spoofed headers have been around (almost) forever, but I had a 
> call from a friend this morning who had received some malware.
>
> On looking through the headers, I noticed something that I find a 
> little disturbing if I'm interpreting it right:
>
>
> Received: from ali-syd-1.albury.net.au (208.117.108.170) by
> BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87) with 
> Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; 
> Tue, 6 Oct 2015 10:43:53 +0000
>
> I suspect this may be a forged header, because I couldn't connect to 
> 10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com 
> resolved to a 10.x address) - but I suppose it would be possible the 
> mail server could be behind NAT, and report its own internal IP...
>
> The thing is, ali-syd-1.albury.net.au is NOT 208.117.108.170
>
> 208.117.108.170 is (currently) showing as another host:
> 170.108.117.208.in-addr.arpa domain name pointer mail.stridersports.com.
>
> Are spammers now getting sufficiently "crafty" to be changing PTR 
> records to assist with the delivery of their spam and malware, or am I 
> just being paranoid?
>
> (Has anyone else noticed this, or is it something you'd only notice if 
> you were specifically looking for it?)
>
> R.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list