日曜日, 1月 22, 2012

日本語携帯スパムメールの調査(Part 2): スパムSPFバイパス&ドメインAUTHチェックのバイパス


本件の内容は以前の携帯経由迷惑メールの調査レポートの続きとなります。

今回の調査は下記の目的となります↓
1. スパムメールの送信元情報をSPFにネットワーク毎に登録され事の説明(証拠/PoCを含む)
2. 何故ドメインのAUTHフィルターがすり抜けられるか、との説明(証拠/PoCを含む)
↑上記の理解を基づき日本の携帯プロバイダーのスパムフィルター仕組みがもっとレベルアップが出来るとの希望が持っております。

下記は調査したスパムサンプルの情報です、2通↓

■携帯の画面スナップショット↓

このサンプルはパソコンで見たらこんな感じ↓


メールのソースは下記となります↓

↑上記のサンプルが同じ携帯向けのスパム、内容と送信元も同じです。このサンプル基づきを今回調査を行いました。
日本語でレポートを書くのは得意じゃないので、色々間違いがあると思いますがご了承下さい。
さて、調査結果ポイントは下記となります↓

■送信元のソース(IP)情報↓
Received: from r101-imp002-01.mail-b.net (unknown [180.222.53.241]) Received: from tl-x222.mail-b.net (unknown [180.222.39.116])

■SMTPのenvelope from情報↓
rainbow+err11133@imp101.mag-r.net rainbow+err11245@imp101.mag-r.net

今回は「imp101.mag-r.net」のドメイン関係のメールですね。このドメインのインターネット情報を調べたら↓

■ドメインの登録情報↓
Domain Name: MAG-R.NET Registrar: GMO INTERNET, INC. DBA ONAMAE.COM Whois Server: whois.discount-domain.com Referral URL: http://www.onamae.com Name Server: NS1.DNS.NE.JP Name Server: NS2.DNS.NE.JP Status: ok Updated Date: 07-jun-2011 Creation Date: 10-mar-2010 Expiration Date: 10-mar-2012 Domain Handle: None Domain Name: mag-r.net Created On: 2010-03-10 10:49:15.0 Last Updated On: 2011-06-07 18:21:23.0 Expiration Date: 2012-03-10 10:49:15.0 Status: ACTIVE Registrant Name: Redspeed Networks Co.,Ltd. Registrant Organization: Redspeed Networks Co.,Ltd. Registrant Street1: 1-21-5 ebisunishi Registrant City: Shibuya-ku Registrant State: Tokyo Registrant Postal Code: 150-0002 Registrant Country: JP Registrant Phone: 03-5456-7600 Registrant Email: info@red-speed.net Admin Name: Redspeed Networks Co.,Ltd. Admin Organization: Redspeed Networks Co.,Ltd. Admin Street1: 1-21-5 ebisunishi Admin Street2: Admin City: Shibuya-ku Admin State: Tokyo Admin Postal Code: 150-0002 Admin Country: JP Admin Phone: 03-5456-7600 Admin Fax: Admin Email: info@red-speed.net Billing Name: Redspeed Networks Co.,Ltd. Billing Organization: Redspeed Networks Co.,Ltd. Billing Street1: 1-21-5 ebisunishi Billing Street2: Billing City: Shibuya-ku Billing State: Tokyo Billing Postal Code: 150-0002 Billing Country: JP Billing Phone: 03-5456-7600 Billing Fax: Billing Email: info@red-speed.net Tech Name: GMO Internet, Inc. Tech Organization: GMO Internet, Inc. Tech Street1: 26-1 Sakuragaoka Tech Street2: Cerulean Tower Tech City: Shibuya-ku Tech State: Tokyo Tech Postal Code: 150-8512 Tech Country: JP Tech Phone: 03-3464-8727 Tech Email: admin@onamae.com Name Server: ns1.dns.ne.jp Name Server: ns2.dns.ne.jp

■インターネットのDNSレコード登録状況を確認↓
Tracing to mag-r.net[a] via a.root-servers.net., maximum of 1 retries a.root-servers.net. (198.41.0.4) |\___ j.gtld-servers.net [net] (192.48.79.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ k.gtld-servers.net [net] (192.52.178.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ f.gtld-servers.net [net] (192.35.51.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ m.gtld-servers.net [net] (192.55.83.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ d.gtld-servers.net [net] (192.31.80.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ h.gtld-servers.net [net] (192.54.112.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ b.gtld-servers.net [net] (2001:0503:231d:0000:0000:0000:0002:0030) Not queried |\___ b.gtld-servers.net [net] (192.33.14.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ c.gtld-servers.net [net] (192.26.92.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ i.gtld-servers.net [net] (192.43.172.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ e.gtld-servers.net [net] (192.12.94.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ l.gtld-servers.net [net] (192.41.162.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ g.gtld-servers.net [net] (192.42.93.30) | |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) | \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) |\___ a.gtld-servers.net [net] (2001:0503:a83e:0000:0000:0000:0002:0030) Not queried \___ a.gtld-servers.net [net] (192.5.6.30) |\___ ns2.dns.ne.jp [mag-r.net] (210.224.172.13) \___ ns1.dns.ne.jp [mag-r.net] (210.188.224.9) 注意点↓ no answer from ns1.dns.ne.jp (210.188.224.9) ←気になります no answer from ns2.dns.ne.jp (210.224.172.13) ←気になります
↑本ドメインのDNSサーバにはリクエストを投げるとエラーが出ましたね。。普通にNSLOOKUPしたらちゃんと回答が出ましたので上記のエラーを無視しましょう。

■インターネットルーティング情報↓

↑上記のグラフのレコードが↓

↑全てASのルーティング結果はAS9371、AS9370とAS9371の経由ですね、大阪IDCにあるみたいです。

続いて…

■スパム送信元のIP情報↓
IP:           180.222.53.241
inetnum:      180.222.32.0 - 180.222.63.255
netname:      REDSPEED
descr:        Redspeed Networks Co., Ltd.
descr:        3-17-2,Shibuya,Shibuya-ku,Tokyo 150-0002,Japan
country:      JP
admin-c:        JNIC1-AP
tech-c:         JNIC1-AP
status:         ALLOCATED PORTABLE
remarks:        Email address for spam or abuse complaints : netadmin@red-speed.net
mnt-irt:        IRT-JPNIC-JP
mnt-by:         MAINT-JPNIC
mnt-lower:      MAINT-JPNIC
changed:        hm-changed@apnic.net 20110222
changed:        ip-apnic@nic.ad.jp 20110222
changed:        ip-apnic@nic.ad.jp 20110302
source:         APNIC
admin-c:        MK19848JP
tech-c:         MK19848JP
changed:        apnic-ftp@nic.ad.jp 20110301
changed:        apnic-ftp@nic.ad.jp 20110302
source:         JPNIC

IP:           180.222.39.116 
inetnum:      180.222.32.0 - 180.222.63.255
netname:      REDSPEED
descr:        Redspeed Networks Co., Ltd.
descr:        3-17-2,Shibuya,Shibuya-ku,Tokyo 150-0002,Japan
country:      JP
admin-c:        JNIC1-AP
tech-c:         JNIC1-AP
status:         ALLOCATED PORTABLE
remarks:        Email address for spam or abuse complaints : netadmin@red-speed.net
mnt-irt:        IRT-JPNIC-JP
mnt-by:         MAINT-JPNIC
mnt-lower:      MAINT-JPNIC
changed:        hm-changed@apnic.net 20110222
changed:        ip-apnic@nic.ad.jp 20110222
changed:        ip-apnic@nic.ad.jp 20110302
source:         APNIC
↑これで、ドメイン登録情報とIP登録情報は同じと確認が出来ました⇒ 「REDSPEED/Redspeed Networks Co., Ltd.」

■スパム送信元IP情報を確認したら「mail-b.net」のドメインが出てきました↓
r101-imp002-01.mail-b.net. 3600 IN      A       180.222.53.41

詳しく確認したら↓
■インターネットルーティング情報↓


■ASN/IDC場所の情報↓

↑全てASのルーティング結果はAS9371、AS9370とAS9371の経由ですね、やはり同じグルップのネットワークじゃないかと思われますね。

■ドメイン登録情報↓
Domain Handle: None
Domain Name: mail-b.net
Created On: 2010-03-10 10:49:12.0
Last Updated On: 2011-06-22 11:30:16.0
Expiration Date: 2012-03-10 10:49:12.0
Status: ACTIVE
Registrant Name: Redspeed Networks Co.,Ltd.
Registrant Organization: Redspeed Networks Co.,Ltd.
Registrant Street1: 1-21-5 ebisunishi
Registrant Street2:
Registrant City: Shibuya-ku
Registrant State: Tokyo
Registrant Postal Code: 150-0002
Registrant Country: JP
Registrant Phone: 03-5456-7600
Registrant Fax:
Registrant Email: info@red-speed.net 
↑ここ迄で間違いなく本スパムメールと「Redspeed Networks Co.,Ltd社」の関係がありそうです。
若しくはスパムメール送信した方々はRedspeed Networks Co.,Ltd社のネットワークから送信されたと思われますね。
ホームページはこちらですね⇒ http://www.red-speed.net/

次の質問はどうやって本スパムメールは携帯メールSPFフィルターにすり抜けたか?下記は説明となります↓

■送信元のドメインのDNSレコードを全てDUMPしましょう、下記の結果が出ました↓
mag-r.net.              3600    IN      NS      ns2.dns.ne.jp.
mag-r.net.              3600    IN      NS      ns1.dns.ne.jp.
mag-r.net.              3600    IN      SOA     master.dns.ne.jp. tech.sakura.ad.jp. 2012011800 3600 900 3600000 3600
imp101.mag-r.net.       3600    IN      A       180.222.53.5
imp101.mag-r.net.       3600    IN      TXT     "v=spf1 include:spf.mail-b.net include:spfall.ark-net.ne.jp ~all"
mag-r.net.              3600    IN      NS      ns1.dns.ne.jp.
mag-r.net.              3600    IN      NS      ns2.dns.ne.jp.

↑ここの中にSPFレコードはカスケード(Cascase)で設定されています。全てDUMPしましたら下記の情報となります↓
spf.mail-b.net.         1437    IN      TXT     "v=spf1 include:spf01.mail-b.net include:spf02.mail-b.net ~all"
spf01.mail-b.net.       1402    IN      TXT     "v=spf1 ip4:202.231.196.0/25 ip4:203.142.214.0/24
                                                ip4:203.142.207.16/28 ip4:124.248.144.0/23 
                                                ip4:115.187.72.128/25 ip4:115.187.77.0/24 ip4:115.187.71.0/24 ~all"
spf02.mail-b.net.       1318    IN      TXT     "v=spf1 ip4:119.82.8.0/21 ip4:119.82.152.0/21 ip4:180.222.32.0/19
                                                 ip4:27.100.28.0/22 
                                                 ip4:120.143.39.128/25 ip4:115.187.70.0/25 ip4:31.148.149.0/25 ~all"

spfall.ark-net.ne.jp.   86400   IN      TXT     "v=spf1 include:spf01.ark-net.ne.jp include:spf02.ark-net.ne.jp 
                                                include:spf03.ark-net.ne.jp include:spf04.ark-net.ne.jp 
                                                include:spf.mail-b.net ~all"
spf01.ark-net.ne.jp.    86400   IN      TXT     "v=spf1 ip4:210.175.62.0/24 ip4:210.175.47.0/24 ip4:61.209.246.0/24 
                                                ip4:211.8.131.128/25 
                                                ip4:210.151.38.192/26 ip4:210.169.130.0/26 ip4:210.175.112.0/25 
                                                ip4:211.8.127.0/25 
                                                ip4:210.175.115.0/24 ip4:210.175.124.0/24 ~all"
spf02.ark-net.ne.jp.    86400   IN      TXT     "v=spf1 ip4:61.209.229.0/25 ip4:61.209.230.0/25 ip4:61.209.231.0/25 
                                                 ip4:210.146.22.0/24 ip4:210.151.32.0/24 ip4:210.169.148.0/24
                                                 ip4:211.8.70.0/24 ip4:61.200.42.0/25  ip4:61.200.43.0/25 
                                                 ip4:210.175.80.0/24 ip4:210.175.40.0/24 ~all"
spf03.ark-net.ne.jp.    86400   IN      TXT     "v=spf1 ip4:61.209.229.128/25 ip4:61.209.230.128/25 
                                                 ip4:61.209.231.128/25 include:spf04.ark-net.ne.jp ~all"
spf04.ark-net.ne.jp.    86400   IN      TXT     "v=spf1 ip4:210.48.247.128/25 ip4:211.8.56.0/21 ip4:202.229.45.192/26 
                                                 ip4:123.98.155.128/25 ~all" 

■↑上記の情報をよーく見たら下記のカスケードでのSPF登録仕組みとなりますね↓
imp101.mag-r.net
   +
   |
   +-------> spf.mail-b.net
   |                 |
   |                 +------>spf01.mail-b.net
   |                 |
   |                 +------>spf02.mail-b.net
   |
   +-------> spfall.ark-net.ne.jp
                     |
                     +------>spf01.ark-net.ne.jp
                     |
                     +------>spf02.ark-net.ne.jp
                     |
                     +------>spf03.ark-net.ne.jp
                     |
                     +------>spf04.ark-net.ne.jp
↑上記のSPFカスケード仕組みに登録されたIP/ネットワーク情報をDUMPしたら、ものすごい沢山IPアドレスが登録されています、このネットワークから送信する本ドメイン使っているスパムメールをSPFチェックで確認したら全てすり抜ける形になると思いますね。

■SPFでの登録されたスパム送信ネットワーク情報↓
--------------------
spf.mail-b.net
--------------------
202.231.196.0/25
203.142.214.0/24
203.142.207.16/28
124.248.144.0/23
115.187.72.128/25 
115.187.77.0/24
115.187.71.0/24
119.82.8.0/21 
119.82.152.0/21 
180.222.32.0/19 
27.100.28.0/22 
120.143.39.128/25 
115.187.70.0/25 
31.148.149.0/25 
※上記のネットワークアドレスを確認したら殆ど「Redspeed Networks Co., Ltd.」の情報が出てきました↓

inetnum:        124.248.144.0 - 124.248.145.255
netname:        REDSPEED
descr:          Redspeed Networks Co., Ltd.
country:        JP
admin-c:        MK19848JP
tech-c:         MK19848JP

inetnum:        203.142.214.0 - 203.142.214.255
netname:        REDSPEED
descr:          Redspeed Networks Co., Ltd.
country:        JP
admin-c:        MK19848JP
tech-c:         MK19848JP

inetnum:        115.187.72.128 - 115.187.72.255
netname:        REDSPEED
descr:          Redspeed Networks Co., Ltd.
country:        JP
admin-c:        MK730-AP
tech-c:         MK730-AP

inetnum:        115.187.77.0 - 115.187.77.127
netname:        REDSPEED
descr:          Redspeed Networks Co., Ltd.
country:        JP
admin-c:        MK732-AP
tech-c:         MK732-AP

inetnum:        119.82.8.0 - 119.82.15.255
netname:        REDSPEED-2
descr:          Redspeed Networks Co., Ltd.
country:        JP

inetnum:        27.100.28.0 - 27.100.31.255
netname:        REDSPEED-CIDR-BLK-JP
descr:          Redspeed Networks Co., Ltd.
remarks:        Email address for spam or abuse complaints : netadmin@red-speed.net
country:        JP
admin-c:        MK19848JP
tech-c:         MK19848JP

他のオーナー情報も出ましたけれども、例えば下記の情報…細かいの検索がお任せます↓

inetnum:        115.187.71.0 - 115.187.71.127
netname:        BNET
descr:          B-net LLC
country:        JP
admin-c:        AM703-AP
tech-c:         AM703-AP

[Network Number]                202.231.192.0/18
[Network Name]                  
[Organization]                  BEKKOAME/INTERNET
[Administrative Contact]        ZK445JP
[Technical Contact]             ZK445JP
[Abuse]                         abuse3@bekknet.ad.jp


--------------------
spfall.ark-net.ne.jp
--------------------
210.175.62.0/24
210.175.47.0/24
61.209.246.0/24
211.8.131.128/25
210.151.38.192/26
210.169.130.0/26 
210.175.112.0/25 
211.8.127.0/25 
210.175.115.0/24 
210.175.124.0/24
61.209.229.0/25 
61.209.230.0/25 
61.209.231.0/25 
210.146.22.0/24 
210.151.32.0/24 
210.169.148.0/24 
211.8.70.0/24 
61.200.42.0/25
61.200.43.0/25 
210.175.80.0/24 
210.175.40.0/24
61.209.229.128/25 
61.209.230.128/25 
61.209.231.128/25
210.48.247.128/25 
211.8.56.0/21 
202.229.45.192/26 
123.98.155.128/25
※上記のネットワークアドレスを確認したら下記の情報が出れます↓
a. [Network Number] X.X.X.X/X b. [Network Name] ARK-NET g. [Organization] ARK CO.,LTD. m. [Administrative Contact] ST9511JP n. [Technical Contact] ST9511JP p. [Nameserver] ns.ark-net.ne.jp p. [Nameserver] ns2.ark-net.ne.jp Less Specific Info:SOFTBANK TELECOM Corp.
「ark-net.ne.jp」にHTTPでアクセスしたら、下記の回答が出ました↓ さて、「ark-net.ne.jp」ってどんな会社ですかね?下記はドメイン登録情報となります↓ a. [Domain Name] ARK-NET.NE.JP d. [Network Service Name] ARK l. [Organization Type] Network Service m. [Administrative Contact] KN4980JP n. [Technical Contact] KN4980JP p. [Name Server] ns.ark-net.ne.jp p. [Name Server] ns2.ark-net.ne.jp s. [Signing Key] [State] Connected (2012/03/31) [Registered Date] 2001/03/27 [Connected Date] 2001/04/04 [Last Update] 2011/04/01 01:29:26 (JST) Contact Information: a. [JPNIC Handle] KN4980JP c. [Last, First] Nakata, Kohei d. [E-Mail] nakata@ark-japan.com ←ページは: http://www.ark-japan.com/default.htm g. [Organization] ARK CO., LTD. l. [Division] n. [Title] o. [TEL] 086-805-1580 p. [FAX] 086-805-1580 y. [Reply Mail] apply@iij.ad.jp [Last Update] 2001/03/27 05:44:27 (JST) form@domain.nic.ad.jp ※スパムメール送信した方々はARK CO., LTD.社のネットワークにあるSPFレコードサービスを使っていると証明が出来ます。 どんな関係があるかと分かりませんが、調査したスパムサンプルの情報を見たらここ迄です。

↑確かに今回の調査したサンプルスパムを見たら送信元のIPアドレスは上記の一覧に入っております⇒「180.222.53.241」と「180.222.39.116」ですね。両方IPはRedspeed Networks社の物です。
(^^これで、携帯スパムのSPFカスケード仕組みの説明は終了です。

■スパムドメインのチェック・フィルターに付いて

下記は、スパムHELOドメインAUTHフィルターのすり抜ける説明となります。
ヘッターを確認したら下記のSMTP経由AUTH確認ドメイン結果が出ましたね↓
X-SPF-AUTH: Pass (lsean.ezweb.ne.jp: domain of imp101.mag-r.net designates 180.222.53.241 as permitted sender) 
client-ip=180.222.53.241; envelope-from=; helo=r101-imp002-01.mail-b.net;
 domain=imp101.mag-r.net; txt=v=spf1 ; auth=v1;

X-SPF-AUTH: Pass (lsean.ezweb.ne.jp: domain of imp101.mag-r.net designates 180.222.39.116 as permitted sender) 
client-ip=180.222.39.116; envelope-from=; helo=tl-x222.mail-b.net; 
domain=imp101.mag-r.net; txt=v=spf1 ; auth=v1;

スパムのSMTPリレーMTAにプロバイダー社が確認したらドメインが存在しているとの事です、
詰り直接にSMTPで25番ポートで繋がったら、下記のやり取りをしました。
Connected to r101-imp002-01.mail-b.net (180.222.53.41).
Escape character is '^]'.
220 r101-imp002-01.mail-b.net ESMTP Postfix
HELO imp101.mag-r.net
250 r101-imp002-01.mail-b.net

Connected to tl-x222.mail-b.net (180.222.39.116).
Escape character is '^]'.
220 tl-x222.mail-b.net ESMTP Postfix
HELO imp101.mag-r.net
250 tl-x222.mail-b.net
↑この状況を見たら恐らくPosfixメールサーバのオープンリレー設定で提供したみたいですね。であればAUTHのチェック時にが必ず結果はOKになります。これでドメインAUTH確認したらバイパスの仕組みを作れますね。

■結論は
1)上記の状況を見たらスパムメールの送信仕組みがちゃんと考えて作った仕組みだとの証明になります。
2)SPFフィルターがすり抜けるような仕組みは現状動いています。
3)SMTPのAUTHチェックのフィルター仕組みに付いても、抜ける方法がばれてしまったようなんですね。
上記の2)と3)に付いて、別のフィルター方法を考えなきゃ行け無いと思います。

■追加情報ー1- 日本語携帯スパムメールが結構使っているSPFサービス(DNSのTXTレコード経由)
--------------------------------
# host -ttxt spf.bulletmail.jp
--------------------------------
spf.bulletmail.jp descriptive text "v=spf1 ip4:119.252.32.0/19 ip4:14.192.96.0/19 ip4:111.223.192.0/19 ip4:113.212.128.0/19 ip4:202.171.224.0/21 ip4:202.12.244.0/22 ip4:210.198.8.0/24 ip4:210.198.19.0/24 ip4:210.166.225.0/24 ip4:210.155.149.0/24 ip4:210.155.152.0/24 ~all"

--------------------------------
# host -ttxt spf3m.zxy.jp
--------------------------------
spf3m.zxy.jp descriptive text "v=spf1 ip4:182.161.64.0/21 ip4:116.89.240.0/20 ip4:103.4.80.0/22 ip4:103.10.192.0/22 ip4:103.29.180.0/22 ip4:103.5.40.0/22 ip4:103.11.196.0/22 ~all"

--------------------------------
# host -ttxt spf.x-mailer.jp
--------------------------------
spf.x-mailer.jp descriptive text "v=spf1 ip4:119.252.32.0/19 ip4:14.192.96.0/19 ip4:111.223.192.0/19 ip4:113.212.128.0/19 ip4:202.171.224.0/21 ip4:202.12.244.0/22 ip4:210.198.8.0/24 ip4:210.198.19.0/24 ip4:210.166.225.0/24 ip4:210.155.149.0/24 ip4:210.155.152.0/24 ~all

--------------------------------
# host -ttxt jgate.dns-spf.com
--------------------------------
jgate.dns-spf.com descriptive text "v=spf1 ip4:202.43.104.0/24 ip4:202.43.107.0/24 ip4:210.175.35.0/24 ip4:210.175.83.0/24 ip4:202.6.8.0/24 ip4:202.6.15.0/24 ~all"

--------------------------------
# host -ttxt spf.vnstg.net
--------------------------------
spf.vnstg.net descriptive text "v=spf1 ip4:101.50.8.0/21 ip4:113.130.27.0/24 ip4:180.222.127.0/24 ip4:113.130.42.0/23 ip4:116.197.152.0/21 ip4:211.14.188.0/24 ip4:120.143.95.0/24 ip4:211.120.46.64/26 ip4:211.120.59.128/26 ip4:180.222.125.0/24 ip4:180.222.126.0/24 ~all"

--------------------------------
# host -ttxt spf01.m-smtp.com
--------------------------------
spf01.m-smtp.com descriptive text "v=spf1 ip4:182.255.60.0/22 ip4:27.123.244.0/22 ip4:182.255.40.0/22 ip4:27.123.232.0/22 ip4:27.123.240.0/22 ip4:182.54.128.0/22 ip4:27.123.252.0/22 ip4:119.42.32.0/22 ip4:103.11.64.0/22 ip4:182.255.48.0/22 ~all"

--------------------------------
# host -ttxt spf02.m-smtp.com
--------------------------------
spf02.m-smtp.com descriptive text "v=spf1 ip4:202.133.220.0/22 ip4:27.124.72.0/22 ip4:119.42.36.0/22 ip4:202.133.216.0/22 ip4:119.42.56.0/22 ip4:119.42.60.0/22 ip4:27.124.68.0/22 ip4:182.255.52.0/22 ip4:182.255.56.0/22 ~all"

--------------------------------
# host -ttxt spf1.s-mtp.jp
--------------------------------
spf1.s-mtp.jp descriptive text "v=spf1 ip4:216.179.238.0/23 ip4:216.179.254.0/23 ip4:216.179.192.0/21 ip4:101.0.8.0/22 ip4:101.0.24.0/23 ip4:216.179.154.0/23 ip4:216.179.156.0/23 ip4:64.31.30.160/27 ~all"

--------------------------------
# host -ttxt spf2.s-mtp.jp
--------------------------------
spf2.s-mtp.jp descriptive text "v=spf1 ip4:64.31.39.32/27 ip4:64.31.40.192/27 ip4:64.31.42.32/27 ip4:64.31.44.0/27 ip4:64.31.46.0/27 ip4:64.31.47.0/27 ip4:64.31.48.0/27 ip4:64.31.49.0/27 ~all"

--------------------------------
# host -ttxt spf3.s-mtp.jp
--------------------------------
spf3.s-mtp.jp descriptive text "v=spf1 ip4:64.31.53.96/27 ip4:69.162.121.192/27 ip4:69.162.89.64/27 ip4:74.63.201.128/27 ip4:74.63.201.192/27 ip4:74.63.201.32/27 ip4:74.63.201.64/27 ip4:74.63.201.96/27 ~all"

--------------------------------
# host -ttxt spf4.s-mtp.jp
--------------------------------
spf4.s-mtp.jp descriptive text "v=spf1 ip4:74.63.210.224/27 ip4:74.63.224.64/27 ip4:74.63.246.160/27 ip4:74.63.255.96/27 ip4:208.115.201.0/27 ip4:208.115.201.64/27 ip4:216.245.201.0/27 ip4:216.245.216.64/27 ip4:216.144.242.128/25 ~all"

--------------------------------
# host -ttxt spf1.isadolo.com
--------------------------------
spf1.isadolo.com descriptive text "v=spf1 mx ip4:173.214.0.0/16 ip4:205.209.0.0/16 ip4:64.32.0.0/16 ip4:64.20.0.0/16 ip4:209.159.0.0/16 ~all"

--------------------------------
# host -ttxt spf2.isadolo.com
--------------------------------
spf2.isadolo.com descriptive text "v=spf1 mx ip4:184.82.0.0/16 ip4:204.13.0.0/16 ip4:204.188.0.0/16 ip4:66.90.0.0/16 ip4:74.63.0.0/16 ip4:68.168.0.0/16 ~all"

--------------------------------
# host -ttxt spf3.isadolo.com
--------------------------------
spf3.isadolo.com descriptive text "v=spf1 mx ip4:208.53.0.0/16 ip4:64.56.0.0/16 ip4:173.45.0.0/16 ip4:66.23.0.0/16 ip4:70.36.0.0/16 ip4:74.222.0.0/16 ~all"

--------------------------------
# host -ttxt spf1.intercept.ad.jp
--------------------------------
spf1.intercept.ad.jp descriptive text "v=spf1 ip4:103.246.72.0/22 ip4:103.10.68.0/22 ip4:116.66.176.0/20 ip4:116.197.152.0/21 ip4:14.192.56.0/22 ip4:14.192.48.0/21 ~all"

--------------------------------
# host -ttxt med3.dns-spf.com
--------------------------------
med3.dns-spf.com descriptive text "v=spf1 ip4:182.236.15.0/24 ip4:27.96.43.0/24 ip4:210.175.35.0/24 a:ef057.mail-relay.jp ip4:27.50.12.0/21 ip4:27.96.37.0/24 ip4:27.96.41.0/24 ip4:27.96.39.0/27 ip4:202.6.8.0/24 ip4:110.50.102.96/27 ~all"

■追加情報ー2- 日本語携帯スパムメールが結構使っているSPFサービス(DNSのAレコード経由)
-------------------------------
# host -ta spf4.suncry.com
--------------------------------
spf4.suncry.com has address 211.5.134.17
spf4.suncry.com has address 211.5.134.193
spf4.suncry.com has address 211.5.135.17
spf4.suncry.com has address 211.5.136.209
spf4.suncry.com has address 211.18.218.113
spf4.suncry.com has address 211.18.246.129
spf4.suncry.com has address 211.18.246.161
spf4.suncry.com has address 211.18.247.49
spf4.suncry.com has address 211.18.248.65
spf4.suncry.com has address 1.21.12.225
spf4.suncry.com has address 1.21.13.113
spf4.suncry.com has address 27.96.37.1
spf4.suncry.com has address 27.96.41.113
spf4.suncry.com has address 27.96.42.81
spf4.suncry.com has address 27.96.52.1
spf4.suncry.com has address 36.3.115.81
spf4.suncry.com has address 36.3.127.193
spf4.suncry.com has address 61.122.79.81
spf4.suncry.com has address 61.122.79.97
spf4.suncry.com has address 61.122.79.113
spf4.suncry.com has address 61.122.79.129
spf4.suncry.com has address 61.122.79.161
spf4.suncry.com has address 61.122.79.177
spf4.suncry.com has address 61.122.79.193
spf4.suncry.com has address 115.179.219.97
spf4.suncry.com has address 122.1.26.233
spf4.suncry.com has address 122.1.26.241
spf4.suncry.com has address 122.1.26.249
spf4.suncry.com has address 122.1.28.1
spf4.suncry.com has address 122.1.28.9
spf4.suncry.com has address 180.131.120.193
spf4.suncry.com has address 180.131.122.33
spf4.suncry.com has address 180.131.122.113
spf4.suncry.com has address 183.177.132.17
spf4.suncry.com has address 183.177.132.81
spf4.suncry.com has address 183.177.133.65
spf4.suncry.com has address 183.180.138.65
spf4.suncry.com has address 202.171.146.33
spf4.suncry.com has address 202.215.160.225
spf4.suncry.com has address 203.152.201.65
spf4.suncry.com has address 203.152.201.97
spf4.suncry.com has address 210.48.235.145
spf4.suncry.com has address 210.189.102.97
spf4.suncry.com has address 210.236.61.129
spf4.suncry.com has address 210.236.61.209
spf4.suncry.com has address 210.236.61.241
spf4.suncry.com has address 211.5.105.193
spf4.suncry.com has address 211.5.133.193

--------------------------------
# host -ta spf5.suncry.com
--------------------------------
spf5.suncry.com has address 120.51.209.1
spf5.suncry.com has address 124.110.27.225
spf5.suncry.com has address 153.120.192.33
spf5.suncry.com has address 153.120.192.49
spf5.suncry.com has address 153.120.192.65
spf5.suncry.com has address 153.120.193.17
spf5.suncry.com has address 153.120.193.33
spf5.suncry.com has address 153.120.193.49
spf5.suncry.com has address 153.120.193.65
spf5.suncry.com has address 183.177.133.81
spf5.suncry.com has address 183.177.135.113
spf5.suncry.com has address 202.171.145.1
spf5.suncry.com has address 202.171.145.33
spf5.suncry.com has address 202.171.145.97
spf5.suncry.com has address 202.171.146.177
spf5.suncry.com has address 203.152.197.209
spf5.suncry.com has address 203.152.208.177
spf5.suncry.com has address 210.173.225.1
spf5.suncry.com has address 210.173.227.49
spf5.suncry.com has address 210.173.233.1
spf5.suncry.com has address 210.236.61.65
spf5.suncry.com has address 210.236.61.81
spf5.suncry.com has address 210.236.61.193
spf5.suncry.com has address 211.5.135.81
spf5.suncry.com has address 211.5.137.49
spf5.suncry.com has address 211.5.137.129
spf5.suncry.com has address 211.18.250.49
spf5.suncry.com has address 222.228.93.17
spf5.suncry.com has address 1.21.13.65
spf5.suncry.com has address 1.21.13.145
spf5.suncry.com has address 1.21.13.161
spf5.suncry.com has address 1.21.13.177
spf5.suncry.com has address 1.21.13.193
spf5.suncry.com has address 1.21.13.209
spf5.suncry.com has address 27.96.39.177
spf5.suncry.com has address 27.96.42.113
spf5.suncry.com has address 36.3.115.97
spf5.suncry.com has address 36.3.115.113
spf5.suncry.com has address 36.3.127.113
spf5.suncry.com has address 36.3.127.129
spf5.suncry.com has address 36.3.127.145
spf5.suncry.com has address 36.3.127.177
spf5.suncry.com has address 36.3.127.209
spf5.suncry.com has address 61.122.79.209
spf5.suncry.com has address 61.192.171.145
spf5.suncry.com has address 61.192.173.33
spf5.suncry.com has address 61.192.173.49
spf5.suncry.com has address 115.179.218.97

----------------------------------------------
# host -ta spf3.suncry.com
----------------------------------------------
spf3.suncry.com has address 125.252.86.192
spf3.suncry.com has address 125.252.88.192
spf3.suncry.com has address 125.252.89.0
spf3.suncry.com has address 125.252.89.64
spf3.suncry.com has address 202.147.3.0
spf3.suncry.com has address 125.252.86.0
spf3.suncry.com has address 125.252.86.64
spf3.suncry.com has address 125.252.86.128

----------------------------------------------
# host -ta spf.cramhut.net
----------------------------------------------
spf.cramhut.net has address 211.5.71.33
spf.cramhut.net has address 211.5.71.65
spf.cramhut.net has address 211.5.71.145
spf.cramhut.net has address 211.5.71.177
spf.cramhut.net has address 211.5.153.241
spf.cramhut.net has address 211.5.155.81
spf.cramhut.net has address 211.5.158.241
spf.cramhut.net has address 211.5.159.161
spf.cramhut.net has address 211.5.159.177
spf.cramhut.net has address 211.5.159.209
spf.cramhut.net has address 1.21.5.33
spf.cramhut.net has address 1.21.5.49
spf.cramhut.net has address 1.21.5.81
spf.cramhut.net has address 1.21.5.225
spf.cramhut.net has address 1.21.5.241
spf.cramhut.net has address 1.21.6.1
spf.cramhut.net has address 1.21.6.17
spf.cramhut.net has address 1.21.11.209
spf.cramhut.net has address 1.21.11.225
spf.cramhut.net has address 1.21.12.241
spf.cramhut.net has address 1.21.13.17
spf.cramhut.net has address 61.122.79.1
spf.cramhut.net has address 61.122.79.17
spf.cramhut.net has address 61.122.79.33
spf.cramhut.net has address 61.122.79.49
spf.cramhut.net has address 61.122.79.65
spf.cramhut.net has address 202.239.91.17
spf.cramhut.net has address 202.239.91.25
spf.cramhut.net has address 202.239.91.57
spf.cramhut.net has address 202.239.91.73
spf.cramhut.net has address 202.239.91.81
spf.cramhut.net has address 210.173.225.177
spf.cramhut.net has address 210.173.225.193
spf.cramhut.net has address 210.173.225.209
spf.cramhut.net has address 210.173.225.225
spf.cramhut.net has address 210.173.225.241
spf.cramhut.net has address 210.173.226.113
spf.cramhut.net has address 210.173.226.129
spf.cramhut.net has address 210.173.226.145
spf.cramhut.net has address 210.173.227.177
spf.cramhut.net has address 210.173.227.193
spf.cramhut.net has address 210.173.227.209
spf.cramhut.net has address 210.173.227.225
spf.cramhut.net has address 210.173.227.241
spf.cramhut.net has address 210.189.112.1
spf.cramhut.net has address 210.189.112.17
spf.cramhut.net has address 210.189.112.33
spf.cramhut.net has address 210.189.112.49
spf.cramhut.net has address 210.189.112.81
spf.cramhut.net has address 210.189.112.97
spf.cramhut.net has address 210.189.112.113
spf.cramhut.net has address 210.189.112.129
spf.cramhut.net has address 210.189.112.145
spf.cramhut.net has address 210.189.112.241
spf.cramhut.net has address 211.5.70.33
spf.cramhut.net has address 211.5.70.161
spf.cramhut.net has address 211.5.71.17

--------------------------------
# host -ta spf.mail-asp.com
--------------------------------
spf.mail-asp.com has address 115.187.76.17
spf.mail-asp.com has address 115.187.76.81
spf.mail-asp.com has address 115.187.76.97
spf.mail-asp.com has address 115.187.76.113
spf.mail-asp.com has address 115.187.76.129
spf.mail-asp.com has address 115.187.76.145
spf.mail-asp.com has address 116.91.115.49
spf.mail-asp.com has address 116.91.115.65
spf.mail-asp.com has address 116.91.115.129
spf.mail-asp.com has address 117.102.217.225
spf.mail-asp.com has address 120.51.209.161
spf.mail-asp.com has address 122.1.28.49
spf.mail-asp.com has address 122.1.28.81
spf.mail-asp.com has address 122.1.28.129
spf.mail-asp.com has address 122.1.28.209
spf.mail-asp.com has address 122.1.28.217
spf.mail-asp.com has address 122.103.211.145
spf.mail-asp.com has address 122.103.211.161
spf.mail-asp.com has address 180.131.121.65
spf.mail-asp.com has address 180.131.121.81
spf.mail-asp.com has address 183.177.132.193
spf.mail-asp.com has address 183.177.132.241
spf.mail-asp.com has address 183.177.135.49
spf.mail-asp.com has address 183.177.135.97
spf.mail-asp.com has address 183.177.135.145
spf.mail-asp.com has address 183.177.249.33
spf.mail-asp.com has address 202.215.10.33
spf.mail-asp.com has address 202.215.10.49
spf.mail-asp.com has address 202.215.65.241
spf.mail-asp.com has address 202.215.68.33
spf.mail-asp.com has address 202.215.90.33
spf.mail-asp.com has address 202.215.90.49
spf.mail-asp.com has address 202.215.90.65
spf.mail-asp.com has address 202.215.90.81
spf.mail-asp.com has address 202.231.89.161
spf.mail-asp.com has address 202.239.91.33
spf.mail-asp.com has address 203.196.19.241
spf.mail-asp.com has address 210.150.203.57
spf.mail-asp.com has address 210.150.203.65
spf.mail-asp.com has address 210.150.203.73
spf.mail-asp.com has address 210.150.203.89
spf.mail-asp.com has address 1.21.11.129
spf.mail-asp.com has address 36.3.115.161
spf.mail-asp.com has address 36.3.115.193
spf.mail-asp.com has address 36.3.121.241
spf.mail-asp.com has address 36.3.122.129
spf.mail-asp.com has address 36.3.122.145
spf.mail-asp.com has address 36.3.122.161
spf.mail-asp.com has address 36.3.126.17
spf.mail-asp.com has address 115.179.46.65
spf.mail-asp.com has address 115.179.46.145
spf.mail-asp.com has address 115.179.47.97
spf.mail-asp.com has address 115.179.102.193
spf.mail-asp.com has address 115.179.103.17
spf.mail-asp.com has address 115.179.103.65
spf.mail-asp.com has address 115.179.103.97

--------------------------------
# host -ta spf.snavi.mobi
--------------------------------
spf.snavi.mobi has address 122.1.28.201
spf.snavi.mobi has address 122.103.211.177
spf.snavi.mobi has address 124.110.27.49
spf.snavi.mobi has address 180.131.121.33
spf.snavi.mobi has address 180.131.121.97
spf.snavi.mobi has address 182.236.19.193
spf.snavi.mobi has address 182.236.19.209
spf.snavi.mobi has address 182.236.30.1
spf.snavi.mobi has address 183.177.132.33
spf.snavi.mobi has address 183.177.132.225
spf.snavi.mobi has address 183.177.205.49
spf.snavi.mobi has address 183.177.205.65
spf.snavi.mobi has address 202.61.27.225
spf.snavi.mobi has address 202.171.155.33
spf.snavi.mobi has address 211.5.76.185
spf.snavi.mobi has address 211.5.153.121
spf.snavi.mobi has address 211.5.154.25
spf.snavi.mobi has address 211.5.155.121
spf.snavi.mobi has address 211.5.156.25
spf.snavi.mobi has address 211.5.157.121
spf.snavi.mobi has address 211.5.157.137
spf.snavi.mobi has address 211.5.158.25
spf.snavi.mobi has address 211.5.158.97
spf.snavi.mobi has address 1.21.11.113
spf.snavi.mobi has address 1.21.11.161
spf.snavi.mobi has address 36.3.115.145
spf.snavi.mobi has address 36.3.115.177
spf.snavi.mobi has address 61.192.170.33
spf.snavi.mobi has address 61.192.170.49
spf.snavi.mobi has address 61.192.170.65
spf.snavi.mobi has address 61.192.170.81
spf.snavi.mobi has address 115.179.46.81
spf.snavi.mobi has address 115.179.46.97
spf.snavi.mobi has address 115.179.46.113
spf.snavi.mobi has address 115.179.46.129
spf.snavi.mobi has address 115.187.76.1
spf.snavi.mobi has address 115.187.76.33
spf.snavi.mobi has address 115.187.76.49
spf.snavi.mobi has address 115.187.76.65
spf.snavi.mobi has address 115.187.78.9
spf.snavi.mobi has address 115.187.78.17
spf.snavi.mobi has address 115.187.78.25
spf.snavi.mobi has address 115.187.78.33
spf.snavi.mobi has address 115.187.78.49
spf.snavi.mobi has address 115.187.78.65
spf.snavi.mobi has address 116.58.184.145
spf.snavi.mobi has address 116.58.184.161
spf.snavi.mobi has address 116.58.185.49
spf.snavi.mobi has address 116.58.185.209
spf.snavi.mobi has address 116.58.191.81
spf.snavi.mobi has address 116.91.113.1
spf.snavi.mobi has address 116.91.113.65
spf.snavi.mobi has address 116.91.113.97
spf.snavi.mobi has address 117.102.187.241
spf.snavi.mobi has address 122.1.28.121
spf.snavi.mobi has address 122.1.28.185

--------------------------------
# host -ta spf2.mail-getter.biz
--------------------------------
spf2.mail-getter.biz has address 113.212.130.0
spf2.mail-getter.biz has address 111.223.203.0
spf2.mail-getter.biz has address 111.223.204.0
spf2.mail-getter.biz has address 111.223.205.0
spf2.mail-getter.biz has address 111.223.206.0
spf2.mail-getter.biz has address 111.223.207.0

--------------------------------
# host -ta spf2.proptai.net
--------------------------------
spf2.proptai.net has address 111.223.213.0
spf2.proptai.net has address 113.212.135.0
spf2.proptai.net has address 111.223.193.0

--------------------------------
# host -ta ef057.mail-relay.jp
--------------------------------
ef057.mail-relay.jp has address 210.175.83.91
ef057.mail-relay.jp has address 202.43.104.15
ef057.mail-relay.jp has address 202.43.104.31
ef057.mail-relay.jp has address 202.43.104.47
ef057.mail-relay.jp has address 202.43.104.63
ef057.mail-relay.jp has address 202.43.104.79
ef057.mail-relay.jp has address 202.43.104.95
ef057.mail-relay.jp has address 202.43.104.111
ef057.mail-relay.jp has address 202.43.104.127
ef057.mail-relay.jp has address 202.43.104.143
ef057.mail-relay.jp has address 202.43.104.159
ef057.mail-relay.jp has address 202.43.104.175
ef057.mail-relay.jp has address 202.43.104.191
ef057.mail-relay.jp has address 202.43.104.207
ef057.mail-relay.jp has address 202.43.104.223
ef057.mail-relay.jp has address 202.43.104.239
ef057.mail-relay.jp has address 210.175.83.27
ef057.mail-relay.jp has address 210.175.83.43
ef057.mail-relay.jp has address 210.175.83.59
ef057.mail-relay.jp has address 210.175.83.75

----
ゼロデイ・ジャパン
http://0day.jp
マルウェア研究所
researched & reported by: アドリアン・ヘンドリック / Hendrik ADRIAN
Sponsored by: 株式会社ケイエルジェイテック

1 件のコメント:

  1. this is an excellent article, very interesting. SMS spam is common in russia but I rarely see it on my phone. SPF records. Amazing ;)

    返信削除