Okay, thanks :) In order to understand the specific abuse, itself, as abuse, I think? the best thing is to know how many different reasons are there for headers to be forged. In my data, there are only two main reasons: R&D and Actual Criminal event (criminal action including state actors, corporate attacks). R&D (governments/esp/crime syndicates/corporate) - as I am trying to incorporate this into a new doc I would appreciate any comments/ideas about forging of headers? Andre On Sat, 01 Jun 2019 14:45:39 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
I won't deny that header forgery is still common. I'm just saying that there's zero indication of whether or not a particular header is forged by just looking at it in isolation.
On 01/06/19, 2:42 PM, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces@ripe.net on behalf of ac@main.me> wrote:
Hi,
It is not a forgery and the extract is the second line Received: (which I am not able to post in public :) ) anyway it is allowed relay by 37.212.178.8 (for whatever reason, is not relevant) what is relevant is the addition of [ ] to the helo on a 2nd Received: the first Received: is "supposedly" the actual sender (and from my data, the first Received: is fake/compromised/etc) so, i guess what I am saying is look at the brackets and take my word for the rest :)
either way, whether you accept my word or not, the manipulation of headers, in itself, with the goal of attacking 3rd parties (or "framing" 3rd parties) is still a very evil form of internet abuse that is not really discussed or talked about much?
Andre
On Sat, 01 Jun 2019 14:27:13 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
> Without looking at the other received headers there's no way to > say that this is header forgery. > > Many mail clients will HELO as whatever IP they're provisioned > on, and both IPs belong to a provider in Belarus. > > So unless this header was inserted in a way that there's no > continuity with the other headers, I can't see any specific > sign of forgery here. > > Carrier Grade NAT maybe so that the IP your mailserver sees vs > the IP stamped in the HELO string will differ. > > --srs > > On 01/06/19, 2:06 PM, "anti-abuse-wg on behalf of ac" > <anti-abuse-wg-bounces@ripe.net on behalf of ac@main.me> wrote: > > Hello, > > The purpose of the abuse header extract in this thread is > obvious but still interesting. I started thinking about all the > interesting ways that cyber criminals, nation states, large > corporates and other abuse purveyors and distributors are > always constantly trying to find ways to break abuse reporting > systems, RBLs DNSBL's Reputational and other services. > > Here is the interesting extract : > Received: from > mm-8-178-212-37.vitebsk.dynamic.pppoe.byfly.by > ([37.212.178.8]:51058 helo=[178.121.247.67]) > It is only interesting because it is so old that it is > unusual to see such an old method in use in 2019. Maybe it is a > "new" nation state trying to build or expand it's cyber weapon > arsenal, maybe it is R&D on a wannabe corporate spammer or > corporate spam enabler (esp) maybe it is just a young cyber > criminal > Either way, imho, this type of abuse is even worse than > other types of abuse. As with everything, I guess it is also > perspective. From a nation state perspective it is national > security, from a cyber crime perspective it is r&d, from an > abuse admin perspective it is extreme evil and from the average > joe soap or john doe (or whatever the politically correct > method of referring to the average person is) > - the average person simply does not care :) > > Andre > > > >