Re: [vox-tech] Viruses
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Viruses
real IP spoofing is extremely difficult and is ... involved. you don't
go around spoofing IP addresses all day long. in fact, i have yet to
see it myself.
however, faking your IP address during an SMTP session is as simple as
pie. the downside is that you're not going to fool anybody. well,
you're not going to fool people who know how to read headers.
basically, there's one useful header you can trust: the received header.
the received header can be forged, but forgeries always go "on top" of
the real headers, which can't be removed or forged. you can easily
detect where the email comes from by looking at the chain of receives.
this is what a normal received chain looks like. you are on host A.
the person who sent you the email is on host E.
Received from E by D
Received from D by C
Received from C by B
Received from B by A
here is what a forged received chain looks like. again, you're on host
A, but the sender is on host Y. note the loss of continuity.
Received from Y by Z
Received from Z by C (3)
Received from C by B (2)
Received from B by A (1)
the person at Y cannot delete headers (3), (2), and (1).
this is a completely separate issue from what's contained in the From:
header. that is completely forgable. forged headers will usually have
the From: address pointing to a host different from Y. that's how you
catch where forged email comes from.
On Wed 03 Mar 04, 11:10 AM, Danny Webster
> Good to know. What about the IP address, you can't even trust that can you
> with IP spoofing can you?
> ----- Original Message -----
> From: "Peter Jay Salzman" <firstname.lastname@example.org>
> To: <email@example.com>
> Sent: Wednesday, March 03, 2004 10:59 AM
> Subject: Re: [vox-tech] Viruses
> > danny,
> > there is no such user.
> > you can't trust the message-id field to give you a correct email
> > address. that's one header that is under full control of the person
> > sending the email.
> > pete
> > On Wed 03 Mar 04, 10:57 AM, Danny Webster:
> > > I tried emailing the listed email address and it was returned, so I
> think it
> > > would be safe to eliminate this user:
> > > firstname.lastname@example.org
> > >
> > > Here is my sendmail record:
> > > Mar 3 04:44:52 basiclab sendmail: i23Ci2ES030372:
> > > from=<email@example.com>, size=31379, class=-60, nrcpts=1,
> > > msgid=<firstname.lastname@example.org>, proto=ESMTP, daemon=MTA,
> > > relay=ns1.livepenguin.com [220.127.116.11]
> > >
> > > Danny
> > --
> > Make everything as simple as possible, but no simpler. -- Albert Einstein
> > GPG Instructions: http://www.dirac.org/linux/gpg
> > GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
> > _______________________________________________
> > vox-tech mailing list
> > email@example.com
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> vox-tech mailing list
Make everything as simple as possible, but no simpler. -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
vox-tech mailing list