l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2004 Mar 03 11:51

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Viruses
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Viruses



danny,

real IP spoofing is extremely difficult and is ... involved.  you don't
go around spoofing IP addresses all day long.  in fact, i have yet to
see it myself.

however, faking your IP address during an SMTP session is as simple as
pie.  the downside is that you're not going to fool anybody.  well,
you're not going to fool people who know how to read headers.

basically, there's one useful header you can trust: the received header.


the received header can be forged, but forgeries always go "on top" of
the real headers, which can't be removed or forged.  you can easily
detect where the email comes from by looking at the chain of receives.
for example:

this is what a normal received chain looks like.  you are on host A.
the person who sent you the email is on host E.

   Received from E by D
   Received from D by C
   Received from C by B
   Received from B by A

here is what a forged received chain looks like.  again, you're on host
A, but the sender is on host Y.  note the loss of continuity.

   Received from Y by Z
   Received from Z by C     (3)
   Received from C by B     (2)
   Received from B by A     (1)

the person at Y cannot delete headers (3), (2), and (1).



this is a completely separate issue from what's contained in the From:
header.  that is completely forgable.  forged headers will usually have
the From: address pointing to a host different from Y.  that's how you
catch where forged email comes from.

pete



On Wed 03 Mar 04, 11:10 AM, Danny Webster
> Pete,
> 
> Good to know.  What about the IP address, you can't even trust that can you
> with IP spoofing can you?
> 
> ----- Original Message ----- 
> From: "Peter Jay Salzman" <p@dirac.org>
> To: <vox-tech@lists.lugod.org>
> Sent: Wednesday, March 03, 2004 10:59 AM
> Subject: Re: [vox-tech] Viruses
> 
> 
> > danny,
> >
> > there is no such user.
> >
> > you can't trust the message-id field to give you a correct email
> > address.  that's one header that is under full control of the person
> > sending the email.
> >
> > pete
> >
> >
> >
> > On Wed 03 Mar 04, 10:57 AM, Danny Webster:
> > > I tried emailing the listed email address and it was returned, so I
> think it
> > > would be safe to eliminate this user:
> > > msqnmmladjontfutbdn@livepenguin.com
> > >
> > > Here is my sendmail record:
> > > Mar  3 04:44:52 basiclab sendmail[30372]: i23Ci2ES030372:
> > > from=<vox-admin@lists.lugod.org>, size=31379, class=-60, nrcpts=1,
> > > msgid=<msqnmmladjontfutbdn@livepenguin.com>, proto=ESMTP, daemon=MTA,
> > > relay=ns1.livepenguin.com [66.218.54.136]
> > >
> > > Danny
> >
> > -- 
> > Make everything as simple as possible, but no simpler.  -- Albert Einstein
> > GPG Instructions: http://www.dirac.org/linux/gpg
> > GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

-- 
Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.