[AusNOG] Disturbing new spam trend?

Scott Howard scott at doc.net.au
Wed Oct 7 11:13:12 EST 2015


The next header in the chain will reveal all.  Is there a reason you didn't
include it?

  Scott



On Tue, Oct 6, 2015 at 3:35 PM, Ross Wheeler <ausnog at rossw.net> wrote:

>
> I know spoofed headers have been around (almost) forever, but I had a call
> from a friend this morning who had received some malware.
>
> On looking through the headers, I noticed something that I find a little
> disturbing if I'm interpreting it right:
>
>
> Received: from ali-syd-1.albury.net.au (208.117.108.170) by
> BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87) with Microsoft
> SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015
> 10:43:53 +0000
>
> I suspect this may be a forged header, because I couldn't connect to
> 10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com resolved
> to a 10.x address) - but I suppose it would be possible the mail server
> could be behind NAT, and report its own internal IP...
>
> The thing is, ali-syd-1.albury.net.au is NOT 208.117.108.170
>
> 208.117.108.170 is (currently) showing as another host:
> 170.108.117.208.in-addr.arpa domain name pointer mail.stridersports.com.
>
> Are spammers now getting sufficiently "crafty" to be changing PTR records
> to assist with the delivery of their spam and malware, or am I just being
> paranoid?
>
> (Has anyone else noticed this, or is it something you'd only notice if you
> were specifically looking for it?)
>
> R.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151006/a43e820b/attachment.html>


More information about the AusNOG mailing list