[AusNOG] Disturbing new spam trend?

Scott Howard scott at doc.net.au
Wed Oct 7 13:27:09 EST 2015


OK, so this was an "outgoing" email from you, not inbound. (and by that, I
don't mean to imply that it went anywhere near your actual mail server)

Back to your original header of interest :

Received: from ali-syd-1.albury.net.au (208.117.108.170) by
BN1BFFO11FD024.mail.protection.outlook.com
<http://bn1bffo11fd024.mail.protection.outlook.com/> (10.58.144.87) with
Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6
Oct 2015 10:43:53 +0000

The first bit, "from ali-syd-1.albury.net.au (208.117.108.170)" means that,
as I think someone else said, this came from the host at 208.117.108.170,
which identified itself as "ali-syd-1.albury.net.au" in the HELO/EHLO.

Next, "by BN1BFFO11FD024.mail.protection.outlook.com (10.58.144.87)" that's
the host that received it, but logging it's "local" IP address.  Clearly
it's behind Reverse NAT/Port forwarding/etc, so that IP isn't of interest
to anyone but Microsoft.

But all up, that header is valid, and was added by Microsoft/Outlook.  You
can be sure of that based on the headers that come after it (going up),
which are clearly internal Outlook.com headers.

The headers below this one are bogus.  It's nothing new - include some
additional headers, often actually taken from a real message but with the
timestamp (and sometimes, but not always, message-id) modified.  In theory
it makes the message seem more legitimate, and some very broken anti-spam
systems will follow down to what appears to be the last legitimate header
with public IP (which in this case is 202.3.36.15) and then do a reputation
check on that IP - which not surprisingly returns a good reputation on
every system I checked.

  Scott




On Tue, Oct 6, 2015 at 5:28 PM, Ross Wheeler <ausnog at rossw.net> wrote:

>
> On Tue, 6 Oct 2015, Scott Howard wrote:
>
> The next header in the chain will reveal all.  Is there a reason you didn't
>> include it?
>>
>
> Only that it was a scree-shot and I didn't feel like typing it ALL back in
> :)
>
> Here it is, with only a few bits obfuscated to preserve the recipients
> identity.
>
> http://support.rossw.net/spam-7oct2015.gif
>
> Things worthy of pointing out:
> 1. The alleged sender doesn't use Thunderbird.
> 2. My mail server doesn't have a timezone of +0100
> 3. None of the mail IDs that claim to be associated with this appear in my
> maillogs
> 4. No mail to or from this domain were offered to, received by or sent
> from my mail server on within 24 hours of this time.
>
> I wasn't so much concerned about the spam itself, as I was about something
> I haven't previously observed.
>
> R.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151006/95975043/attachment.html>


More information about the AusNOG mailing list