[anti-abuse-wg] Interesting email abuse header extract

Okay, thanks :)

In order to understand the specific abuse, itself, as abuse,  I think?
the best thing is to know how many different reasons are there for
headers to be forged. In my data, there are only two main reasons: R&D
and Actual Criminal event (criminal action including state actors,
corporate attacks). R&D (governments/esp/crime syndicates/corporate) -
as I am trying to incorporate this into a new doc I would appreciate any
comments/ideas about forging of headers? 

Andre

On Sat, 01 Jun 2019 14:45:39 +0530
Suresh Ramasubramanian <ops.lists at gmail.com> wrote:

> I won't deny that header forgery is still common.  I'm just saying
> that there's zero indication of whether or not a particular header is
> forged by just looking at it in isolation.
> 
> On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac"
> <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote:
> 
>     Hi,
>     
>     It is not a forgery and the extract is the second line Received:
>     (which  I am not able to post in public :) ) anyway it is allowed
> relay by 37.212.178.8 (for whatever reason, is not relevant) what is
>     relevant is the addition of [ ] to the helo on a 2nd Received: 
>     the first Received: is "supposedly" the actual sender (and from my
>     data, the first Received: is fake/compromised/etc) 
>     so, i guess what I am saying is look at the brackets and take my
> word for the rest :)
>     
>     either way, whether you accept my word or not, the manipulation of
>     headers, in itself, with the goal of attacking 3rd parties (or
>     "framing" 3rd parties) is still a very evil form of internet abuse
>     that is not really discussed or talked about much?
>     
>     Andre
>     
>     On Sat, 01 Jun 2019 14:27:13 +0530
>     Suresh Ramasubramanian <ops.lists at gmail.com> wrote:
>     
>     > Without looking at the other received headers there's no way to
>     > say that this is header forgery.
>     > 
>     > Many mail clients will HELO as whatever IP they're provisioned
>     > on, and both IPs belong to a provider in Belarus.
>     > 
>     > So unless this header was inserted in a way that there's no
>     > continuity with the other headers, I can't see any specific
>     > sign of forgery here.  
>     > 
>     > Carrier Grade NAT maybe so that the IP your mailserver sees vs
>     > the IP stamped in the HELO string will differ.
>     > 
>     > --srs
>     > 
>     > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac"
>     > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote:
>     > 
>     >     Hello,
>     >     
>     >     The purpose of the abuse header extract in this thread is
>     > obvious but still interesting. I started thinking about all the
>     > interesting ways that cyber criminals, nation states, large
>     > corporates and other abuse purveyors and distributors are
>     > always constantly trying to find ways to break abuse reporting
>     > systems,  RBLs DNSBL's Reputational and other services.
>     >     
>     >     Here is the interesting extract : 
>     >     Received: from
>     > mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by
>     > ([37.212.178.8]:51058 helo=[178.121.247.67]) 
>     >     It is only interesting because it is so old that it is
>     > unusual to see such an old method in use in 2019. Maybe it is a
>     > "new" nation state trying to build or expand it's cyber weapon
>     > arsenal, maybe it is R&D on a wannabe corporate spammer or
>     > corporate spam enabler (esp) maybe it is just a young cyber
>     > criminal 
>     >     Either way, imho, this type of abuse is even worse than
>     > other types of abuse. As with everything, I guess it is also
>     > perspective. From a nation state perspective it is national
>     > security, from a cyber crime perspective it is r&d, from an
>     > abuse admin perspective it is extreme evil and from the average
>     > joe soap or john doe (or whatever the politically correct
>     > method of referring to the average person is)
>     > - the average person simply does not care :)
>     >     
>     >     Andre
>     >     
>     >     
>     > 
>     >   
>     
>     
>     
> 
>