https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6577
Tom S <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #9 from Tom S <[email protected]> 2011-04-26 20:28:43 EDT --- Actually, I provided this sample to Jeff. I don't use SA so I can't comment upon detection but it was the first time I saw IPv6 being used to obfuscate a IPv4 address from and active spam out in the wild and I wanted to make sure that everyone including our friends at SA had a copy of the sample. As for the question, I was on the receiving side so I can't be sure but it looks like a user's account at mail.xxxxxxx.com (a foreign mailserver that has been informed of this situation) had its password sniffed and that 82.128.107.32 was using the hijacked user/password to access the mailserver using AUTH: LOGIN [email protected], TLS: TLSv1/SSLv3,256bits,AES256-SHA to send 419 spam. The reason to identify this is that IPv6 blacklists are not available and will not be unless we all agree to list /64's and the IPv4 IP would have been detected in current IPv4 lists. Since SA appears to detect the IPv4 encapsulated in IPv6 per the thread above, I would have to say that the case is closed. However, one might question the logic to completely exonerate a header when hijacking user logins is so pervasive. Tom -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
