This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Interesting email abuse header extract
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Microsoft New Abuse Policies
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ac
ac at main.me
Sun Jun 2 09:18:09 CEST 2019
Okay, thanks :) In order to understand the specific abuse, itself, as abuse, I think? the best thing is to know how many different reasons are there for headers to be forged. In my data, there are only two main reasons: R&D and Actual Criminal event (criminal action including state actors, corporate attacks). R&D (governments/esp/crime syndicates/corporate) - as I am trying to incorporate this into a new doc I would appreciate any comments/ideas about forging of headers? Andre On Sat, 01 Jun 2019 14:45:39 +0530 Suresh Ramasubramanian <ops.lists at gmail.com> wrote: > I won't deny that header forgery is still common. I'm just saying > that there's zero indication of whether or not a particular header is > forged by just looking at it in isolation. > > On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac" > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: > > Hi, > > It is not a forgery and the extract is the second line Received: > (which I am not able to post in public :) ) anyway it is allowed > relay by 37.212.178.8 (for whatever reason, is not relevant) what is > relevant is the addition of [ ] to the helo on a 2nd Received: > the first Received: is "supposedly" the actual sender (and from my > data, the first Received: is fake/compromised/etc) > so, i guess what I am saying is look at the brackets and take my > word for the rest :) > > either way, whether you accept my word or not, the manipulation of > headers, in itself, with the goal of attacking 3rd parties (or > "framing" 3rd parties) is still a very evil form of internet abuse > that is not really discussed or talked about much? > > Andre > > On Sat, 01 Jun 2019 14:27:13 +0530 > Suresh Ramasubramanian <ops.lists at gmail.com> wrote: > > > Without looking at the other received headers there's no way to > > say that this is header forgery. > > > > Many mail clients will HELO as whatever IP they're provisioned > > on, and both IPs belong to a provider in Belarus. > > > > So unless this header was inserted in a way that there's no > > continuity with the other headers, I can't see any specific > > sign of forgery here. > > > > Carrier Grade NAT maybe so that the IP your mailserver sees vs > > the IP stamped in the HELO string will differ. > > > > --srs > > > > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" > > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: > > > > Hello, > > > > The purpose of the abuse header extract in this thread is > > obvious but still interesting. I started thinking about all the > > interesting ways that cyber criminals, nation states, large > > corporates and other abuse purveyors and distributors are > > always constantly trying to find ways to break abuse reporting > > systems, RBLs DNSBL's Reputational and other services. > > > > Here is the interesting extract : > > Received: from > > mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by > > ([37.212.178.8]:51058 helo=[178.121.247.67]) > > It is only interesting because it is so old that it is > > unusual to see such an old method in use in 2019. Maybe it is a > > "new" nation state trying to build or expand it's cyber weapon > > arsenal, maybe it is R&D on a wannabe corporate spammer or > > corporate spam enabler (esp) maybe it is just a young cyber > > criminal > > Either way, imho, this type of abuse is even worse than > > other types of abuse. As with everything, I guess it is also > > perspective. From a nation state perspective it is national > > security, from a cyber crime perspective it is r&d, from an > > abuse admin perspective it is extreme evil and from the average > > joe soap or john doe (or whatever the politically correct > > method of referring to the average person is) > > - the average person simply does not care :) > > > > Andre > > > > > > > > > > > > >
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Microsoft New Abuse Policies
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]