[Owasp-Malaysia] Email Scam In Malay

Ang Chin Han ang.chin.han at gmail.com
Fri Oct 8 03:17:33 EDT 2010


On Fri, Oct 8, 2010 at 2:48 PM, Harisfazillah Jamel
<linuxmalaysia at gmail.com> wrote:
> Anyone any idea. If the email address also been spoof? Any tools can
> do this. From the header I do found it valid.
>
> 98.138.83.126 -> Address for Yahoo.. Yes Its to my Yahoo account.
>
> 65.55.90.146 -> Coming from Micorosft Network
>
> http://www.ip-adress.com/ip_tracer/65.55.90.146
>
> This email may origin from email client from IP 120.140.22.218 -> SMTP
> send through MSN network.
>
> Any comment?

:(

Email admins should have known about Sender Policy Framework:
http://en.wikipedia.org/wiki/Sender_Policy_Framework
yahoo.com doesn't use it, though.

Say, foo at hotmail.com

$ dig txt hotmail.com

hotmail.com.		3600	IN	TXT	"v=spf1 include:spf-a.hotmail.com
include:spf-b.hotmail.com include:spf-c.hotmail.com
include:spf-d.hotmail.com ~all"

$ dig spf-a.hotmail.com spf-b.hotmail.com spf-c.hotmail.com | grep spf1

spf-a.hotmail.com.	3544	IN	TXT	"v=spf1 ip4:209.240.192.0/19
ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15
ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16
ip4:204.79.135.0/24 ip4:204.79.188.0/24 ip4:204.79.252.0/24
ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all"
spf-b.hotmail.com.	3565	IN	TXT	"v=spf1 ip4:199.103.90.0/23
ip4:204.182.144.0/24 ip4:204.255.244.0/23 ip4:206.138.168.0/21
ip4:64.4.0.0/18 ip4:65.54.128.0/17 ip4:207.68.128.0/18
ip4:207.68.192.0/20 ip4:207.82.250.0/23 ip4:207.82.252.0/23
ip4:209.1.112.0/23 ~all"
spf-c.hotmail.com.	3593	IN	TXT	"v=spf1 ip4:209.185.128.0/23
ip4:209.185.130.0/23 ip4:209.185.240.0/22 ip4:216.32.180.0/22
ip4:216.32.240.0/22 ip4:216.33.148.0/22 ip4:216.33.151.0/24
ip4:216.33.236.0/22 ip4:216.33.240.0/22 ip4:216.200.206.0/24
ip4:204.95.96.0/20 ~all"

And those should be the IP block ranges where foo at hotmail.com should
be coming in from.

Caveat lector: it's the first time I'm actually looking these up.


More information about the Owasp-Malaysia mailing list