2016-08-28-2142Z


got a spam from "myself" today. nothing is as it seems, apparently:

Delivered-To: johncomeau@gmail.com
Received: by 10.114.185.198 with SMTP id fe6csp356767ldc;
    Sun, 28 Aug 2016 14:28:39 -0700 (PDT)
X-Received: by 10.28.209.193 with SMTP id i184mr7755543wmg.35.1472419719323;
    Sun, 28 Aug 2016 14:28:39 -0700 (PDT)
Return-Path: <lztppracpfw@clearence.ford.rpgwatch.com>
Received: from canismajor.corpex-net.de ([163.172.206.148])
    by mx.google.com with ESMTP id 202si9065024wml.77.2016.08.28.14.28.39
 for <johncomeau@gmail.com>;
 Sun, 28 Aug 2016 14:28:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of lztppracpfw@clearence.ford.rpgwatch.com designates 163.172.206.148 as permitted sender) client-ip=163.172.206.148;
Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of lztppracpfw@clearence.ford.rpgwatch.com designates 163.172.206.148 as permitted sender) smtp.mailfrom=lztppracpfw@clearence.ford.rpgwatch.com;
    dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
Received: by mail.netbsd.org (Postfix, from userid 605)id 1B52285E9B; Sun, 28 Aug 2016 23:21:09 +0200
To: johncomeau@gmail.com
From: <johncomeau@gmail.com>
Subject: Breaking 2016 Blowout Sale
Message-Id: <25296844679886.B7Z9T2O0L@mail.netbsd.org>
Date: Sun, 28 Aug 2016 23:21:09 +0200
Content-type:text/html; charset=utf8;

aha! from netbsd.org, userid 605, right? easy! got the bastard!

not so fast... if that Received header was for real, why didn't Google get it from netbsd.org? besides, it rarely takes over 7 minutes to get mail from one server to the next. let's discard that header as forged, and look further.

lztppracpfw@clearence.ford.rpgwatch.com... is he the guy? probably not. that's just the envelope-from address, which can also be forged. however, the fact that the IP is permitted by SPF raises a red flag. let's look at the record:

jcomeau@aspire:~$ dig clearence.ford.rpgwatch.com txt

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> clearence.ford.rpgwatch.com txt
;; global options: +cmd
;; Got answer:
;; ->l;>HEADER<<- opcode: QUERY, status: NOERROR, id: 48558
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;clearence.ford.rpgwatch.com. IN TXT

;; ANSWER SECTION:
clearence.ford.rpgwatch.com. 3599 IN CNAME johndist.bugs3.com.
johndist.bugs3.com. 14399 IN TXT "v=spf1 ip4:85.10.209.37 ip4:162.144.206.198 ip4:95.211.150.73 ip4:61.19.248.0/24 ip4:163.172.206.148 ip4:199.191.57.0/24 ip4:93.114.130.0/24 ip4:185.92.192.46 ip4:91.213.233.218 ip4:199.19.94.210 ip4:180.179.99.0/24 ip4:178.211.43.156 ip4:85.10.211.18 ip4" ":198.57.215.11 ip6:2a01:4f8:130:9147::/64 ip6:2a01:4f8:160:620c::/64 ip6:2a01:4f8:a0:11a5::/64 ip6:2a01:4f8:110:44e9::/64 ip4:69.64.49.164 ip4:88.198.82.96 -all"

;; Query time: 300 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 28 14:52:07 2016
;; MSG SIZE rcvd: 503

so let's keep johndist.bugs3.com on the back burner, and keep looking.

Google got it from canismajor.corpex-net.de ([163.172.206.148]). fire off a nastygram to abuse@corpex-net.de, right? nope. that's just how the sender's machine identified itself. also spoofed.

but, the IP address can't easily be spoofed; too many routers would have to be misconfigured, and that's not likely. the Whois (whois 163.172.206.148) record shows the netblock belongs to ONLINE_NET_DEDICATED_SERVERS, headquartered in Paris, France, with an abuse address of abuse@online.net. and the reverse lookup of the IP (nslookup 163.172.206.148) gives 163-172-206-148.rev.poneytelecom.eu., which might have its own abuse address. so I whois poneytelecom.eu, and it gives me an email for the technical contact as eurid-whois@bookmtname.com, and shows the nameservers as belonging to our old friend online.net. it also shows the registrar's address is www.bookmyname.com, which indicates the tech contact's address is likely misspelled.

it wouldn't likely do much good bothering the tech contact anyway. the best address to report the spam, if I even want to bother, is abuse@online.net. the bugs3.com domain mentioned above is a dead end, since the whois record for that is through a proxy. so is rpgwatch.com, likely the same miscreant.

this was just to give a little insight into analyzing email headers. it's a tricky process! and I'm not even sure I'm right. and even if I am, the guys at online.net probably get so many bogus complaints every day from people who can't analyze the headers correctly, that I'll likely be ignored.

still, it pisses me off to have people impersonate me. that's the 4th thing forged: the first Received header, the envelope-from address, the hostname of the machine that connected to gmail, and the From address.

Back to blog or home page

last updated 2016-08-28 18:27:39. served from tektonic.jcomeau.com