Hello, welcome to the Thursday, January 20th, 2002 edition of the Sands and the Stormsendors Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida. Brad today took a look at a specific artifact of Emothead traffic. Emot head spam bots are sending, of course, a lot of email,

and they are spoofing the 0.0.0.0.0 IP address in some of that traffic. Of course, you

won't see actual traffic to that IP address. That IP address is not routable, but it, for example,

shows up in the Hello header and is then, of course, copied into received headers by

email servers receiving that email. And of course, once you have it show up in an argument to a hello request or in a received header,

then you will also see DNS lockups for various spam block lists, and that then usually

starts with the 0.0.0.0.0. IP address, followed by whatever host name at the particular list uses.

Safe to say, whenever you see that IP address, it's at least spam and more likely malicious.

Other botnets may use that as well, but Pratt specifically sees that with Emotet, so you can use it as one indicator that you're probably dealing with email that was generated by an Emotet infected host.

Another suggestion here was also that this may actually be deliberate attempt to figure out if the receiving mail server does have any kind of spam filtering,

which of course may make it less suitable for spreading malicious,

word documents or other office macros as what Emotette usually does.

Now just a little postscript here to that Cereslas 8 network. It is an unused network according to the traditional RFCs. However, Linux in the last couple of years has made an effort to actually reclaim some of this IP address space.

There is a Linux kernel patch available that makes zero slash eight routable.

Of course, the idea here is to get back some of that IP address space that was originally

not usable because of the old glassful addressing,

which hasn't been in use for, well, 20 plus years.

And currently we still have the unfortunate issue that Safari and with that really WebKit is leaking database names cross origin report about

this earlier this week I believe or was it Friday forgot but anyway there is a patch

available now for WebKit of course this doesn't do you much good because well

it would require that you essentially compile the browse and the operating system for iOS and also Safari for Mac OS yourself.

So yes, a patch is available, still waiting for Apple to actually roll it out into Safari and iOS iPad OS.

...