[AusNOG] Disturbing new spam trend?

[Ross Wheeler]

> The hostname next to the bracketed IP address, is often the hostname given 
> during HELO/EHLO and has no relationship to DNS at all.

*facepalm*. Thanks. I knew that. I'm having a very distracted morning.


> If you went back and traced the SMTP transaction I would hope that'd be what 
> you would see.

I only got a screen-shot of the message from the person who received it.
This was all in the (alleged) "diagnostics" from microsoft when they 
rejected it. I couldn't get (and he's now deleted) the message.

> So the mailserver is re-using the HELO/EHLO that it received from an earlier 
> transaction? That does seem like odd behavior, but it's not DNS spoofing.

I should just add - the above was one header from the chain, my server 
wasn't actually involved anywhere in the process - as source, relay or 
destination (except as final destination for the bounce).

Thanks guys.
R.