[anti-abuse-wg] Interesting email abuse header extract

Without looking at the other received headers there's no way to say that this is header forgery.

Many mail clients will HELO as whatever IP they're provisioned on, and both IPs belong to a provider in Belarus.

So unless this header was inserted in a way that there's no continuity with the other headers, I can't see any specific sign of forgery here.  

Carrier Grade NAT maybe so that the IP your mailserver sees vs the IP stamped in the HELO string will differ.

--srs

On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote:

    Hello,
    
    The purpose of the abuse header extract in this thread is obvious but
    still interesting. I started thinking about all the interesting ways
    that cyber criminals, nation states, large corporates and other abuse
    purveyors and distributors are always constantly trying to find ways to
    break abuse reporting systems,  RBLs DNSBL's Reputational and other
    services.
    
    Here is the interesting extract : 
    Received: from mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by
    ([37.212.178.8]:51058 helo=[178.121.247.67])
    
    It is only interesting because it is so old that it is unusual to see
    such an old method in use in 2019. Maybe it is a "new" nation state
    trying to build or expand it's cyber weapon arsenal, maybe it is R&D on
    a wannabe corporate spammer or corporate spam enabler (esp) maybe it is
    just a young cyber criminal
    
    Either way, imho, this type of abuse is even worse than other types of
    abuse. As with everything, I guess it is also perspective. From a
    nation state perspective it is national security, from a cyber crime
    perspective it is r&d, from an abuse admin perspective it is extreme
    evil and from the average joe soap or john doe (or whatever the
    politically correct method of referring to the average person is) -
    the average person simply does not care :)
    
    Andre