[anti-abuse-wg] Interesting email abuse header extract
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Microsoft New Abuse Policies
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ac
ac at main.me
Sun Jun 2 09:18:09 CEST 2019
Okay, thanks :) In order to understand the specific abuse, itself, as abuse, I think? the best thing is to know how many different reasons are there for headers to be forged. In my data, there are only two main reasons: R&D and Actual Criminal event (criminal action including state actors, corporate attacks). R&D (governments/esp/crime syndicates/corporate) - as I am trying to incorporate this into a new doc I would appreciate any comments/ideas about forging of headers? Andre On Sat, 01 Jun 2019 14:45:39 +0530 Suresh Ramasubramanian <ops.lists at gmail.com> wrote: > I won't deny that header forgery is still common. I'm just saying > that there's zero indication of whether or not a particular header is > forged by just looking at it in isolation. > > On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac" > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: > > Hi, > > It is not a forgery and the extract is the second line Received: > (which I am not able to post in public :) ) anyway it is allowed > relay by 37.212.178.8 (for whatever reason, is not relevant) what is > relevant is the addition of [ ] to the helo on a 2nd Received: > the first Received: is "supposedly" the actual sender (and from my > data, the first Received: is fake/compromised/etc) > so, i guess what I am saying is look at the brackets and take my > word for the rest :) > > either way, whether you accept my word or not, the manipulation of > headers, in itself, with the goal of attacking 3rd parties (or > "framing" 3rd parties) is still a very evil form of internet abuse > that is not really discussed or talked about much? > > Andre > > On Sat, 01 Jun 2019 14:27:13 +0530 > Suresh Ramasubramanian <ops.lists at gmail.com> wrote: > > > Without looking at the other received headers there's no way to > > say that this is header forgery. > > > > Many mail clients will HELO as whatever IP they're provisioned > > on, and both IPs belong to a provider in Belarus. > > > > So unless this header was inserted in a way that there's no > > continuity with the other headers, I can't see any specific > > sign of forgery here. > > > > Carrier Grade NAT maybe so that the IP your mailserver sees vs > > the IP stamped in the HELO string will differ. > > > > --srs > > > > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" > > <anti-abuse-wg-bounces at ripe.net on behalf of ac at main.me> wrote: > > > > Hello, > > > > The purpose of the abuse header extract in this thread is > > obvious but still interesting. I started thinking about all the > > interesting ways that cyber criminals, nation states, large > > corporates and other abuse purveyors and distributors are > > always constantly trying to find ways to break abuse reporting > > systems, RBLs DNSBL's Reputational and other services. > > > > Here is the interesting extract : > > Received: from > > mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by > > ([37.212.178.8]:51058 helo=[178.121.247.67]) > > It is only interesting because it is so old that it is > > unusual to see such an old method in use in 2019. Maybe it is a > > "new" nation state trying to build or expand it's cyber weapon > > arsenal, maybe it is R&D on a wannabe corporate spammer or > > corporate spam enabler (esp) maybe it is just a young cyber > > criminal > > Either way, imho, this type of abuse is even worse than > > other types of abuse. As with everything, I guess it is also > > perspective. From a nation state perspective it is national > > security, from a cyber crime perspective it is r&d, from an > > abuse admin perspective it is extreme evil and from the average > > joe soap or john doe (or whatever the politically correct > > method of referring to the average person is) > > - the average person simply does not care :) > > > > Andre > > > > > > > > > > > > >
- Previous message (by thread): [anti-abuse-wg] Interesting email abuse header extract
- Next message (by thread): [anti-abuse-wg] Microsoft New Abuse Policies
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]