[AusNOG] Disturbing new spam trend?
Mark Foster
blakjak at blakjak.net
Wed Oct 7 09:49:15 EST 2015
The hostname next to the bracketed IP address, is often the hostname
given during HELO/EHLO and has no relationship to DNS at all.
Expanding the headers of your very email:
Received: from ali-syd-1.albury.net.au[1] (ali-syd-1.albury.net.au[2] [202.3.36.15][3])
by mail.albury.net.au (8.13.6/8.13.6) with ESMTP id t96MZoKR066125
for <ausnog at ausnog.net>; Wed, 7 Oct 2015 09:35:52 +1100 (EST)
(envelope-from ausnog at rossw.net)
[1] is HELO/EHLO
[2] is DNS Hostname
[3] is IP address
If you went back and traced the SMTP transaction I would hope that'd be what you would see.
I havn't been primarily focused on email for a couple of years now but that was always my recollection...
So the mailserver is re-using the HELO/EHLO that it received from an earlier transaction? That does seem like odd behavior, but it's not DNS spoofing.
Mark.
On 7/10/2015 11:35 a.m., Ross Wheeler wrote:
>
> I know spoofed headers have been around (almost) forever, but I had a
> call from a friend this morning who had received some malware.
>
> On looking through the headers, I noticed something that I find a
> little disturbing if I'm interpreting it right:
>
>
> Received: from ali-syd-1.albury.net.au (208.117.108.170) by
> BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87) with
> Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport;
> Tue, 6 Oct 2015 10:43:53 +0000
>
> I suspect this may be a forged header, because I couldn't connect to
> 10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com
> resolved to a 10.x address) - but I suppose it would be possible the
> mail server could be behind NAT, and report its own internal IP...
>
> The thing is, ali-syd-1.albury.net.au is NOT 208.117.108.170
>
> 208.117.108.170 is (currently) showing as another host:
> 170.108.117.208.in-addr.arpa domain name pointer mail.stridersports.com.
>
> Are spammers now getting sufficiently "crafty" to be changing PTR
> records to assist with the delivery of their spam and malware, or am I
> just being paranoid?
>
> (Has anyone else noticed this, or is it something you'd only notice if
> you were specifically looking for it?)
>
> R.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list