[AusNOG] Disturbing new spam trend?
Stuart Low
stuart.low at me.com
Wed Oct 7 12:13:47 EST 2015
The short answer is Yes and they have been for sometime. Spam assassin has a rule for reverse DNS mismatch but it can cause issues for legitimately NATed mail servers.
Stu
> On 7 Oct 2015, at 9:35 AM, Ross Wheeler <ausnog at rossw.net> wrote:
>
>
> I know spoofed headers have been around (almost) forever, but I had a call from a friend this morning who had received some malware.
>
> On looking through the headers, I noticed something that I find a little disturbing if I'm interpreting it right:
>
>
> Received: from ali-syd-1.albury.net.au (208.117.108.170) by
> BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87) with Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015 10:43:53 +0000
>
> I suspect this may be a forged header, because I couldn't connect to 10.58.144.87 (even if BN1BFFO11FD024.mail.protection.outlook.com resolved to a 10.x address) - but I suppose it would be possible the mail server could be behind NAT, and report its own internal IP...
>
> The thing is, ali-syd-1.albury.net.au is NOT 208.117.108.170
>
> 208.117.108.170 is (currently) showing as another host:
> 170.108.117.208.in-addr.arpa domain name pointer mail.stridersports.com.
>
> Are spammers now getting sufficiently "crafty" to be changing PTR records to assist with the delivery of their spam and malware, or am I just being paranoid?
>
> (Has anyone else noticed this, or is it something you'd only notice if you were specifically looking for it?)
>
> R.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list