[Asrg] Replay attack
Chris Lewis
clewis at nortel.com
Tue Jan 13 17:46:39 PST 2009
Franck Martin wrote:
> Hi all,
>
> I received an error report that an email could not be delivered to
> abuse at genocide.ru. The email that was tried to be sent is below.
>
> What is interesting, the email seems to be geniune enough, with a DKIM
> and DomainKey signature.
>
> 1) Do anyone knows where on the web I could paste this email and verify
> the DKIM ? A kind of web form.
It won't verify, because it's signing the To, I have a copy with a
different To, with the same signature.
There's at least one BOT going around inserting fixed DKIM signatures.
> Return-path: <abuse at genius.com>
> Received: from broadband-77-37-184-167.nationalcablenetworks.ru ([77.37.184.167] helo=list.mediresource.com)
> by direct.va.ru with smtp (Exim 4.53)
> id 1LMsMZ-0003zp-62
> for abuse at genocide.ru; Wed, 14 Jan 2009 02:07:59 +0300
It came from the above IP. The rest is fakery. I have quite a number
of these with radically different peer addresses.
Eg:
Received: from dsl15-117.express.oricom.ca (HELO list.mediresource.com)
(64.18.184.117)
by ertps004.nortel.com (qpsmtpd/0.43rc1) with SMTP; Tue, 13 Jan 2009
20:41:0
1 -0500
More information about the Asrg
mailing list