This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Interesting email abuse header extract
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Interesting email abuse header extract
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Sat Jun 1 11:15:39 CEST 2019
I won't deny that header forgery is still common. I'm just saying that there's zero indication of whether or not a particular header is forged by just looking at it in isolation. On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: Hi, It is not a forgery and the extract is the second line Received: (which I am not able to post in public :) ) anyway it is allowed relay by 37.212.178.8 (for whatever reason, is not relevant) what is relevant is the addition of [ ] to the helo on a 2nd Received: the first Received: is "supposedly" the actual sender (and from my data, the first Received: is fake/compromised/etc) so, i guess what I am saying is look at the brackets and take my word for the rest :) either way, whether you accept my word or not, the manipulation of headers, in itself, with the goal of attacking 3rd parties (or "framing" 3rd parties) is still a very evil form of internet abuse that is not really discussed or talked about much? Andre On Sat, 01 Jun 2019 14:27:13 +0530 Suresh Ramasubramanian <ops.lists at gmail.com> wrote: > Without looking at the other received headers there's no way to say > that this is header forgery. > > Many mail clients will HELO as whatever IP they're provisioned on, > and both IPs belong to a provider in Belarus. > > So unless this header was inserted in a way that there's no > continuity with the other headers, I can't see any specific sign of > forgery here. > > Carrier Grade NAT maybe so that the IP your mailserver sees vs the IP > stamped in the HELO string will differ. > > --srs > > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: > > Hello, > > The purpose of the abuse header extract in this thread is obvious > but still interesting. I started thinking about all the interesting > ways that cyber criminals, nation states, large corporates and other > abuse purveyors and distributors are always constantly trying to find > ways to break abuse reporting systems, RBLs DNSBL's Reputational and > other services. > > Here is the interesting extract : > Received: from mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by > ([37.212.178.8]:51058 helo=[178.121.247.67]) > > It is only interesting because it is so old that it is unusual to > see such an old method in use in 2019. Maybe it is a "new" nation > state trying to build or expand it's cyber weapon arsenal, maybe it > is R&D on a wannabe corporate spammer or corporate spam enabler (esp) > maybe it is just a young cyber criminal > > Either way, imho, this type of abuse is even worse than other > types of abuse. As with everything, I guess it is also perspective. > From a nation state perspective it is national security, from a cyber > crime perspective it is r&d, from an abuse admin perspective it is > extreme evil and from the average joe soap or john doe (or whatever > the politically correct method of referring to the average person is) > - the average person simply does not care :) > > Andre > > > >
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Interesting email abuse header extract
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]