Mark Martinec skrev den 2015-04-22 02:17:
... although there's a funny twist there. Some of these illegal
IP addresses are not really a claimed-to-be IP address of a mailer,
but come from an embedded e-mail address in a comment:
Received: from unknown (HELO localhost)
(jennifer_pr...@sbcglobal.net@236.192.200.84)
by mm-36-150-122-178.brest.dynamic.pppoe.byfly.by with ESMTPA;
Tue, 21 Apr 2015 23:55:53 +0300
http://rbls.org/236.139.213.194
http://rbls.org/mm-36-150-122-178.brest.dynamic.pppoe.byfly.by
Received: from unknown (HELO localhost)
(bsobolew...@stockton-house.com@236.139.213.194)
by 76.172.150.91 with ESMTPA; Tue, 21 Apr 2015 11:41:10 -0800
http://rbls.org/76.172.150.91
still possible to do smtp auth from this, all well
so by a lucky coincidence a misparsed Received ends up
yielding a useful-but-wrong result.
plain text auth over pppoe with pbl listed ip ?
why is is not using ESMTPSA, silly :=)
users trust there pppoe to be tcpdump safe, hmm
