[mailop] With all the talk about bots.. Just sharing today's pattern..

Wed, 02 Nov 2016 12:41:16 -0700

While most of this is originating from the IoT, this latest has an interesting pattern.. And it is coming from all the DUL (well dynamic and static broadback access points) so most of it is of course in the spam folders already. 

However, it is quite a large usage of the botnet so thought I would share..
Of course, it might be different tomorrow..

Return-Path: <woodward5...@sc.atlanticbb.net>

* All the MAIL FROM are from [a-z]+[0-9]{3,6}@<base name of isp>
Received: from 72-28-165-077-static.aik.sc.atlanticbb.net (HELO 72-28-165-077-static.aik.sc.atlanticbb.net) (72.28.165.77) Received: from Pickup by server.mail.sc.atlanticbb.net with Microsoft SMTP Server id 15.0.6017.3; Wed, 02 Nov 2016 10:34:20 -0400 

* All with two headers.. second being 'Pickup'
* All coming from Windows OS

From: "Margaret Woodward" <woodward5...@sc.atlanticbb.net>
To: "name" <n...@domain.com>
Message-ID: <-834501632.0788999.3870775544676.JavaMail.wasadmin@local>
Subject: Transactions
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_Part_5683153_4166401428.3525678117443"

* Headers all look standardized

Return-Path: woodward5...@sc.atlanticbb.net
Date: Wed, 02 Nov 2016 10:34:20 -0400

* Duplicate Return-Path generated by Bot?

X-KSE-AttachmentFiltering-Interceptor-Info: protection disabled
X-KSE-ServerInfo: server.mail.sc.atlanticbb.net, 9
X-KSE-Antivirus-Interceptor-Info: scan successful
X-KSE-Antivirus-Info: Clean, bases: 11/02/2016 1:34:00 AM
X-KSE-AttachmentFiltering-Interceptor-Info: protection disabled
X-KSE-ServerInfo: server.mail.sc.atlanticbb.net, 9
X-KSE-AntiSpam-Interceptor-Info: white sender email list
X-KSE-AttachmentFiltering-Interceptor-Info: protection disabled

* All of them have the same Karpersky Style headers..
* All of them have 'white sender email list'
* All of them have 'protection disabled'

I leave it up to the reader to discern whether the headers are forged, or 
taking advantage of the these headers..



_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to