Re: Spam question
From: chort (chort_at_amaunetsgothique.com)
Date: 09/02/03
- Previous message: Anders Reed-Mohn: "Re: Block a user's outgoing email"
- In reply to: Tomas Wolf: "Spam question"
- Next in thread: David Gillett: "RE: Spam question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Tomas Wolf <tomas@skip.cz> Date: 02 Sep 2003 09:26:18 -0700
On Mon, 2003-09-01 at 04:12, Tomas Wolf wrote:
> Hello,
>
> I'm reading some sources of spam I've got and I have a question that
> has crossed my mind... Is it possible to malform e-mail's header?
>
> What I have in mind is that some of the headers come with different
> header composition in which up to two *Received:* records are from
> registered range... And also some of these e-mails have *Return-Path:*
> inserted on the bottom of the header, following *Received: from
> bla.bla.com [xxx.xxx.xxx.xxx] by bla.bla.com (MAILSERVER NAME vX) with
> PROTOCOL, DATE*... While the original Return-path: with an e-mail
> address, as it supposed to, is one of the top ones...
>
> I have a theory about this... Could there be a program that connects
> directly to the end-user SMTP server by telnet and makes sends to a
> localhost? I know that would be a lot of traffic and time spent on this,
> but isn't this another possibility? I remember when I was playing with
> SMTP server at home, I was capable of sending any kind of e-mail to
> anybody@localhost... So then I've tried it on several "real" SMTP
> servers where I knew my friends had an account and it worked as well...
> Which means if I know the user and the end server, I'm able to send
> pretty much anything and by forming the commands well, it is possible to
> try to malform the header so one of the records might trick somebody
> into believing, that it is one of the SMTP relay hops.
>
> Thanks for your input...
> Tomas
So what you want to do is obfuscate the Received: headers so it appears
that the e-mail is coming from 127.0.0.1? This will be added to the
header, but when the SMTP host sends it out to the Internet, the next
host will stamp it with the _external_ IP of the SMTP host it was sent
from, so it will be obvious where the message actually came from. All
you end up doing is adding an extra unnecessary Received: header.
-- Brian Keefer --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Anders Reed-Mohn: "Re: Block a user's outgoing email"
- In reply to: Tomas Wolf: "Spam question"
- Next in thread: David Gillett: "RE: Spam question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
