funsec mailing list archives
Re: Strange address in mail header
From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Fri, 13 Jan 2006 07:12:27 -0700 (MST)
On Fri Jan 13 06:25:20 2006, Larry Seltzer wrote:
A friend of mine who sends out a mailing list through another friend's service was getting some non-deliveries and asked me to look at these. Here's the interesting part of the header with some of the addresses and names blanked out to protect the innocent: Received: from daa20725rs002.friend2domain.com (daa20725rs002.friend2domain.com [aaa.bbb.ccc.ddd]) by inbound-mx20.atl.registeredsite.com (8.12.11/8.12.11) with ESMTP id k07DjJg8029294 for <friend1 () friend1domain com>; Sat, 7 Jan 2006 08:45:21 -0500 Received: from daa10354www002 ([1.4.167.11]) by daa20725rs002.friend2domain.com with Microsoft SMTPSVC(5.0.2195.6713); Friend1domain, friend2domain and aaa.bbb.ccc.ddd are phony, but the header really does indicate that 1.4.167.11 is the origin of the message, and this address shows up as IANA reserved, the way I see it. (you can also see that friend1 is an Interland customer, but I think that's irrelevant, because friend2 is the one at issue. 1.4.167.11 is spoofed, right?
Hi Larry, Short answer: Everything below the spoofed header is spoofed. Long answer: Received headers are added from the bottom of the stack to the top (pre-pend). The only guarantee is that the top-most received header is not forged. Everything else is forgeable. If you see one forged Received header (e.g., "aaa.bbb.ccc.ddd" indicates that the header is forged) then you can be certain that everything below it is also forged. There are a few other clues for detecting forged Recevied headers. For example: - Received headers should contain a unique tracking ID. The top one does, the bottom one doesn't. - Received headers should have timestamps. The top one does, the bottom one doesn't. - Most Received headers do not end with a semicolon. Instead, these are used to separate fields. (The bottom one is missing stuff after the semi-colon.) - Most remailers line-wrap Received headers. The bottom one isn't wrapped. While these rules are "usually" the case, some legitimate mailers do break the rules. Most noteably, qmail will include 2-3 Received headers rather than one. But Microsoft mailers do obey the RFC standards. (Sorry for being so long winded -- I've been giving talks on email security and tracking every year for the last 5 years.) -Neal -- Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Strange address in mail header Larry Seltzer (Jan 13)
- Re: Strange address in mail header Dr. Neal Krawetz (Jan 13)
- RE: Strange address in mail header Gary Funck (Jan 13)
- Re: Strange address in mail header Valdis . Kletnieks (Jan 13)
- RE: Strange address in mail header Gary Funck (Jan 13)
- Re: Strange address in mail header Dr. Neal Krawetz (Jan 13)