This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Interesting email abuse header extract
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Interesting email abuse header extract
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Sat Jun 1 10:57:13 CEST 2019
Without looking at the other received headers there's no way to say that this is header forgery. Many mail clients will HELO as whatever IP they're provisioned on, and both IPs belong to a provider in Belarus. So unless this header was inserted in a way that there's no continuity with the other headers, I can't see any specific sign of forgery here. Carrier Grade NAT maybe so that the IP your mailserver sees vs the IP stamped in the HELO string will differ. --srs On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: Hello, The purpose of the abuse header extract in this thread is obvious but still interesting. I started thinking about all the interesting ways that cyber criminals, nation states, large corporates and other abuse purveyors and distributors are always constantly trying to find ways to break abuse reporting systems, RBLs DNSBL's Reputational and other services. Here is the interesting extract : Received: from mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by ([37.212.178.8]:51058 helo=[178.121.247.67]) It is only interesting because it is so old that it is unusual to see such an old method in use in 2019. Maybe it is a "new" nation state trying to build or expand it's cyber weapon arsenal, maybe it is R&D on a wannabe corporate spammer or corporate spam enabler (esp) maybe it is just a young cyber criminal Either way, imho, this type of abuse is even worse than other types of abuse. As with everything, I guess it is also perspective. From a nation state perspective it is national security, from a cyber crime perspective it is r&d, from an abuse admin perspective it is extreme evil and from the average joe soap or john doe (or whatever the politically correct method of referring to the average person is) - the average person simply does not care :) Andre
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Interesting email abuse header extract
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]