[AusNOG] Disturbing new spam trend?

Mark Stewart mark at nabc.com.au
Wed Oct 7 11:40:53 EST 2015


I came across something similar yesterday where mail was sent claiming to be a clients' e-mail address but all the e-mail header information was wrong.

In this screenshoot, the user-agent is identical. In the case of my clients spam mail, I noticed the timezone information was vastly out and the spoofed IP address claiming to be their mail server was from Johannesburg.

Other trends I see is DNS spoofing where the SMTP client connecting to servers claim their address to be something like xyz.abcaddress.com and when you perform a lookup on that address, it resolved to localhost. By default, many Linux systems automatically relay localhost mail so when the mail server performs a lookup, it sees localhost and automatically relays the mail.

Regards,

Mark Stewart



-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Ross Wheeler
Sent: Wednesday, 7 October 2015 8:29 AM
To: ausnog at ausnog.net
Subject: Re: [AusNOG] Disturbing new spam trend?


On Tue, 6 Oct 2015, Scott Howard wrote:

> The next header in the chain will reveal all.  Is there a reason you 
> didn't include it?

Only that it was a scree-shot and I didn't feel like typing it ALL back in
:)

Here it is, with only a few bits obfuscated to preserve the recipients identity.

http://support.rossw.net/spam-7oct2015.gif

Things worthy of pointing out:
1. The alleged sender doesn't use Thunderbird.
2. My mail server doesn't have a timezone of +0100 3. None of the mail IDs that claim to be associated with this appear in my maillogs 4. No mail to or from this domain were offered to, received by or sent from my mail server on within 24 hours of this time.

I wasn't so much concerned about the spam itself, as I was about something I haven't previously observed.

R.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list