From: "Loren Wilton" <[EMAIL PROTECTED]>
> > I just grabbed the new 70_sare_header.cf and have gotten a couple of ham
> > emails that are triggering the SARE_RECV_SUSP_3 rule -- which is "Dotted
> quad
> > hostname doesn't match HELO dotted quad." However, I'm not sure why
that
> is.
> > Does it apply only to the HELO to MY server? Or does it check previous
> > servers also? Here are the headers:
> >
> > Received: from portalmail.gmhwh.org (portalmail.gmhwh.org [12.110.19.29]
> (may
> > be forged)) by frobozz.dcg.com (8.12.11/8.12.11) with ESMTP id
> i5FKQ52F022626
> > for <[EMAIL PROTECTED]>; Tue, 15 Jun 2004 16:26:06 -0400
> > Date: Tue, 15 Jun 2004 16:26:05 -0400
> > Message-ID: <[EMAIL PROTECTED]>
> > Received: from 192.168.20.11 ([192.168.20.203]) by portalmail.gmhwh.org;
> Tue,
> > 15 Jun 2004 14:25:39 -0600
>
> The majic in the description of that rule is "dotted quad doesn't match
> dotted quad".
> The rule scans all received headers (all simple regex rules in SA on
> Received will do this).
> So all that is known is *some* received header had a forged host id. In
> your case it is the second header:
>
> > Received: from 192.168.20.11 ([192.168.20.203]) by portalmail.gmhwh.org;
> Tue,
>
> Note that a host claiming to be 192.168.20.11 actually HELOed as
> 192.168.20.203.
>
> This is a pretty common spam sign, so it gets a point or two; I don't
recall
> the actual score.
> Note that I think both of those addresses are private address space, so
I'm
> a little surprised that either of them would show up as a valid dotted
quad
> in a valid address you should see in a header.
I'm not sure why someone on a private non-routed IP network would route
the email through a "Received: from" that was masqueraded. It might be
that someone on the network is trying to hide the fact that he is sending
the spam. It might be a set of aliased addresses on the same machine. The
addresses do SEEM to be on the same subnet modulo what the actual broadcast
mask setting is. If they are on different subnets the machine might have
two IP addresses quite legitimately, one it listens to internally and one
it listens to externally.
What is interesting is that the mail even reached your "portalmail"
machine. Is 192.168.20.x your internal network? If not it is defacto
forged and something is seriously misconfigured for it to get to you.
Are both addresses on the same machine as either an alias on one NIC or
as two NICs? If not the user of the 203 machine might be trying to get
the owner of the 11 machine in trouble or simply trying to hide the fact
that he was the origin.
{^_^}
