I won't deny that header forgery is still common. I'm just saying that there's zero indication of whether or not a particular header is forged by just looking at it in isolation. On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces@ripe.net on behalf of ac@main.me> wrote: Hi, It is not a forgery and the extract is the second line Received: (which I am not able to post in public :) ) anyway it is allowed relay by 37.212.178.8 (for whatever reason, is not relevant) what is relevant is the addition of [ ] to the helo on a 2nd Received: the first Received: is "supposedly" the actual sender (and from my data, the first Received: is fake/compromised/etc) so, i guess what I am saying is look at the brackets and take my word for the rest :) either way, whether you accept my word or not, the manipulation of headers, in itself, with the goal of attacking 3rd parties (or "framing" 3rd parties) is still a very evil form of internet abuse that is not really discussed or talked about much? Andre On Sat, 01 Jun 2019 14:27:13 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote: > Without looking at the other received headers there's no way to say > that this is header forgery. > > Many mail clients will HELO as whatever IP they're provisioned on, > and both IPs belong to a provider in Belarus. > > So unless this header was inserted in a way that there's no > continuity with the other headers, I can't see any specific sign of > forgery here. > > Carrier Grade NAT maybe so that the IP your mailserver sees vs the IP > stamped in the HELO string will differ. > > --srs > > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" > <anti-abuse-wg-bounces@ripe.net on behalf of ac@main.me> wrote: > > Hello, > > The purpose of the abuse header extract in this thread is obvious > but still interesting. I started thinking about all the interesting > ways that cyber criminals, nation states, large corporates and other > abuse purveyors and distributors are always constantly trying to find > ways to break abuse reporting systems, RBLs DNSBL's Reputational and > other services. > > Here is the interesting extract : > Received: from mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by > ([37.212.178.8]:51058 helo=[178.121.247.67]) > > It is only interesting because it is so old that it is unusual to > see such an old method in use in 2019. Maybe it is a "new" nation > state trying to build or expand it's cyber weapon arsenal, maybe it > is R&D on a wannabe corporate spammer or corporate spam enabler (esp) > maybe it is just a young cyber criminal > > Either way, imho, this type of abuse is even worse than other > types of abuse. As with everything, I guess it is also perspective. > From a nation state perspective it is national security, from a cyber > crime perspective it is r&d, from an abuse admin perspective it is > extreme evil and from the average joe soap or john doe (or whatever > the politically correct method of referring to the average person is) > - the average person simply does not care :) > > Andre > > > >