ietf-asrg
[Top] [All Lists]

[Asrg] Replay attack

2009-01-13 20:05:40
Hi all, 

I received an error report that an email could not be delivered to 
abuse(_at_)genocide(_dot_)ru(_dot_) The email that was tried to be sent is 
below. 

What is interesting, the email seems to be geniune enough, with a DKIM and 
DomainKey signature. 

1) Do anyone knows where on the web I could paste this email and verify the 
DKIM ? A kind of web form. 
2) The return-path has been forged and it seems to me they proceeded this way, 
generate a legitimate DKIM signed email on legitimate MTA, strip a few headers 
and mass-mail directly to everyone? RCPT TO does not have to match the TO in 
the header. What gives me a hint is that the received headers do not follow 
each others. Any tips, info to prevents such problems? Or by doing only a DKIM 
verification, this would tell me this message is forged? 

Here are only the headers of the email I received in a NDR. 
------------------------------- 
Return-path: <abuse(_at_)genius(_dot_)com> 
Received: from broadband-77-37-184-167.nationalcablenetworks.ru 
([77.37.184.167] helo=list.mediresource.com) 
by direct.va.ru with smtp (Exim 4.53) 
id 1LMsMZ-0003zp-62 
for abuse(_at_)genocide(_dot_)ru; Wed, 14 Jan 2009 02:07:59 +0300 
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; 
s=v1; d=rodale.delivery.net; 
h=DKIM-Signature:Received:Date:From:Reply-to:To:Message-ID:Subject:Errors-to:MIME-Version:Content-Type:X-eid:X-pid;
 
b=KxLNSrM9OzjsF/CMM45qFlc0DKKuizMQ2qWRehZCpFy02QKiFV77rJnRdPOL05om 
cV0wWuLpX1/TssBxGG61McgmU7b5wRtM3XUlZ0ox33uNNiFkl58VgHIIVXNDDwjc 
SltQL4r5m5CFxLxC5ifJyVJYw2s12bMZc62AVktX7V4= 
DKIM-Signature: v=1; a=rsa-sha1; d=rodale.delivery.net; s=v1; c=simple/simple; 
q=dns/txt; i=(_at_)rodale(_dot_)delivery(_dot_)net; t=1231488648; 
h=From; 
bh=F6VyhuMIBItRiT4Rd3AjarPIreY=; 
b=jU/ncyJ4g53pvr2on0cSjHW0pxtZqApuauJuTV9XlPVJXFY2vvS4zzs5eiJqpZ2i 
j56GjtfxU1pWScXrwstgIwm1vb4SxvpN2qhf4uMxeGpsZM3Z5lD9j9GuEMAUME+R 
oiXm9l4kbSw2zIJ7NP65e9dErI20MZRscu6F6u20dx8=; 
Received: from [192.168.138.141] ([192.168.138.141:53703] helo=fc14a2.dc1.prod) 
by oms2.dc1.prod (envelope-from 
<MensHealth(_at_)rodale(_dot_)delivery(_dot_)net>) 
(ecelerity 2.2.2.36 r(26875/27517M)) with ESMTP 
id EF/26-77607-64778138; Wed, 14 Jan 2009 02:05:15 +0300 
From: Men's Health <MensHealth(_at_)rodale(_dot_)delivery(_dot_)net> 
Reply-to: MensHealth(_at_)rodale(_dot_)delivery(_dot_)net 
To: abuse(_at_)genocide(_dot_)ru 
Message-ID: 
<20090114050515(_dot_)6743(_dot_)qmail(_at_)list(_dot_)mediresource(_dot_)com> 
Subject: RE: Bigger snake for few days n few bucks 
Errors-to: MensHealth(_at_)rodale(_dot_)delivery(_dot_)net 
MIME-Version: 1.0 
Content-Type: text/html; charset=UTF-8 
Content-Transfer-Encoding: 7bit 
X-eid: 2.5.3K5.2hv.12hk7c.CdQNXI..N..1TKO.CTbQEQf0 
X-pid: 962 

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
<Prev in Thread] Current Thread [Next in Thread>