funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange address in mail header

From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Fri, 13 Jan 2006 07:12:27 -0700 (MST)
On Fri Jan 13 06:25:20 2006, Larry Seltzer wrote:


A friend of mine who sends out a mailing list through another friend's
service was getting some non-deliveries and asked me to look at these.
Here's the interesting part of the header with some of the addresses and
names blanked out to protect the innocent:

Received: from daa20725rs002.friend2domain.com
(daa20725rs002.friend2domain.com [aaa.bbb.ccc.ddd])
      by inbound-mx20.atl.registeredsite.com (8.12.11/8.12.11) with ESMTP
id k07DjJg8029294
      for <friend1 () friend1domain com>; Sat, 7 Jan 2006 08:45:21 -0500
Received: from daa10354www002 ([1.4.167.11]) by
daa20725rs002.friend2domain.com with Microsoft SMTPSVC(5.0.2195.6713);

Friend1domain, friend2domain and aaa.bbb.ccc.ddd are phony, but the header
really does indicate that 1.4.167.11 is the origin of the message, and this
address shows up as IANA reserved, the way I see it. (you can also see that
friend1 is an Interland customer, but I think that's irrelevant, because
friend2 is the one at issue. 1.4.167.11 is spoofed, right?


Hi Larry,

Short answer: Everything below the spoofed header is spoofed.

Long answer:
Received headers are added from the bottom of the stack to the top (pre-pend).
The only guarantee is that the top-most received header is not forged.
Everything else is forgeable.

If you see one forged Received header (e.g., "aaa.bbb.ccc.ddd" indicates
that the header is forged) then you can be certain that everything below
it is also forged.

There are a few other clues for detecting forged Recevied headers.
For example:
  - Received headers should contain a unique tracking ID.
    The top one does, the bottom one doesn't.
  - Received headers should have timestamps.
    The top one does, the bottom one doesn't.
  - Most Received headers do not end with a semicolon.  Instead, these
    are used to separate fields.  (The bottom one is missing stuff after
    the semi-colon.)
  - Most remailers line-wrap Received headers.  The bottom one isn't wrapped.

While these rules are "usually" the case, some legitimate mailers do
break the rules.  Most noteably, qmail will include 2-3 Received headers
rather than one.  But Microsoft mailers do obey the RFC standards.

(Sorry for being so long winded -- I've been giving talks on email
security and tracking every year for the last 5 years.)

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: