[anti-abuse-wg] Interesting email abuse header extract

I won't deny that header forgery is still common.  I'm just saying that there's zero indication of whether or not a particular header is forged by just looking at it in isolation.

On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote:

    Hi,
    
    It is not a forgery and the extract is the second line Received:
    (which  I am not able to post in public :) ) anyway it is allowed relay
    by 37.212.178.8 (for whatever reason, is not relevant) what is
    relevant is the addition of [ ] to the helo on a 2nd Received: 
    the first Received: is "supposedly" the actual sender (and from my
    data, the first Received: is fake/compromised/etc) 
    so, i guess what I am saying is look at the brackets and take my word
    for the rest :)
    
    either way, whether you accept my word or not, the manipulation of
    headers, in itself, with the goal of attacking 3rd parties (or
    "framing" 3rd parties) is still a very evil form of internet abuse
    that is not really discussed or talked about much?
    
    Andre
    
    On Sat, 01 Jun 2019 14:27:13 +0530
    Suresh Ramasubramanian <ops.lists at gmail.com> wrote:
    
    > Without looking at the other received headers there's no way to say
    > that this is header forgery.
    > 
    > Many mail clients will HELO as whatever IP they're provisioned on,
    > and both IPs belong to a provider in Belarus.
    > 
    > So unless this header was inserted in a way that there's no
    > continuity with the other headers, I can't see any specific sign of
    > forgery here.  
    > 
    > Carrier Grade NAT maybe so that the IP your mailserver sees vs the IP
    > stamped in the HELO string will differ.
    > 
    > --srs
    > 
    > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac"
    > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote:
    > 
    >     Hello,
    >     
    >     The purpose of the abuse header extract in this thread is obvious
    > but still interesting. I started thinking about all the interesting
    > ways that cyber criminals, nation states, large corporates and other
    > abuse purveyors and distributors are always constantly trying to find
    > ways to break abuse reporting systems,  RBLs DNSBL's Reputational and
    > other services.
    >     
    >     Here is the interesting extract : 
    >     Received: from mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by
    >     ([37.212.178.8]:51058 helo=[178.121.247.67])
    >     
    >     It is only interesting because it is so old that it is unusual to
    > see such an old method in use in 2019. Maybe it is a "new" nation
    > state trying to build or expand it's cyber weapon arsenal, maybe it
    > is R&D on a wannabe corporate spammer or corporate spam enabler (esp)
    > maybe it is just a young cyber criminal
    >     
    >     Either way, imho, this type of abuse is even worse than other
    > types of abuse. As with everything, I guess it is also perspective.
    > From a nation state perspective it is national security, from a cyber
    > crime perspective it is r&d, from an abuse admin perspective it is
    > extreme evil and from the average joe soap or john doe (or whatever
    > the politically correct method of referring to the average person is)
    > - the average person simply does not care :)
    >     
    >     Andre
    >     
    >     
    > 
    >