[Owasp-Malaysia] Email Scam In Malay
Ang Chin Han
ang.chin.han at gmail.com
Fri Oct 8 03:17:33 EDT 2010
On Fri, Oct 8, 2010 at 2:48 PM, Harisfazillah Jamel
<linuxmalaysia at gmail.com> wrote:
> Anyone any idea. If the email address also been spoof? Any tools can
> do this. From the header I do found it valid.
> 126.96.36.199 -> Address for Yahoo.. Yes Its to my Yahoo account.
> 188.8.131.52 -> Coming from Micorosft Network
> This email may origin from email client from IP 184.108.40.206 -> SMTP
> send through MSN network.
> Any comment?
Email admins should have known about Sender Policy Framework:
yahoo.com doesn't use it, though.
Say, foo at hotmail.com
$ dig txt hotmail.com
hotmail.com. 3600 IN TXT "v=spf1 include:spf-a.hotmail.com
$ dig spf-a.hotmail.com spf-b.hotmail.com spf-c.hotmail.com | grep spf1
spf-a.hotmail.com. 3544 IN TXT "v=spf1 ip4:220.127.116.11/19
ip4:18.104.22.168/14 ip4:22.214.171.124/16 ip4:126.96.36.199/15
ip4:188.8.131.52/14 ip4:184.108.40.206/16 ip4:220.127.116.11/16
ip4:18.104.22.168/24 ip4:22.214.171.124/24 ip4:126.96.36.199/24
ip4:188.8.131.52/16 ip4:184.108.40.206/24 ~all"
spf-b.hotmail.com. 3565 IN TXT "v=spf1 ip4:220.127.116.11/23
ip4:18.104.22.168/24 ip4:22.214.171.124/23 ip4:126.96.36.199/21
ip4:188.8.131.52/18 ip4:184.108.40.206/17 ip4:220.127.116.11/18
ip4:18.104.22.168/20 ip4:22.214.171.124/23 ip4:126.96.36.199/23
spf-c.hotmail.com. 3593 IN TXT "v=spf1 ip4:188.8.131.52/23
ip4:184.108.40.206/23 ip4:220.127.116.11/22 ip4:18.104.22.168/22
ip4:22.214.171.124/22 ip4:126.96.36.199/22 ip4:188.8.131.52/24
ip4:184.108.40.206/22 ip4:220.127.116.11/22 ip4:18.104.22.168/24
And those should be the IP block ranges where foo at hotmail.com should
be coming in from.
Caveat lector: it's the first time I'm actually looking these up.
More information about the Owasp-Malaysia