Re: Header manipulation...?

From: Kenneth (usenet_at_SPAMLESSsoleassociates.com)
Date: 11/10/04 

Date: Wed, 10 Nov 2004 12:36:47 -0500

On Wed, 10 Nov 2004 12:03:02 -0500, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>On Wed, 10 Nov 2004 07:55:11 -0500, Kenneth spoketh
>
>>
>>Howdy,
>>
>>Suppose I receive an email with this header:
>>
>>
>>
>>Return-Path: <leo@aflac.com>
>>Delivered-To: grelm@0
>>Received: (qmail 5923 invoked by uid 107); 10 Nov 2004
>>11:57:41 -0000
>>Received: from rrcs-11-222-33-444.west.biz.rr.com (HELO
>>aflac.com) (11.222.33.44)
>> by s9006.hostcentric.net with SMTP; 10 Nov 2004 11:57:41
>>-0000
>>From: leo@aflac.com
>>To: grelm@mydomain.com
>>Subject: ifgdqpvssnqmk
>>Date: Wed, 10 Nov 2004 03:59:10 -0800
>>MIME-Version: 1.0
>>Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_0004_73A0935F.42C6F0F0"
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>
>>
>>
>>
>>Is there any way that it did not come through
>>"11.222.33.44"?
>>
>>That is, are there possible manipulations that might
>>disguise the source server?
>>
>
>As e-mail moves from server to server (and sometimes, it may be routed
>through a few servers before it gets to you), each add their own headers
>to it, and they are added on top. So, the "Received" line closest to the
>top is the one added by the mail server that accepted the message on
>your behalf. It will list the IP Address of the server it is talking to
>when accepting the message, and most mail servers will also do a reverse
>lookup on the IP address, which is why you get both the FQDN and the IP
>address listed. Since this information is added by your mail server, it
>is unlikely that there's any type of header manipulation going on, at
>least with that header. It is possible to add in additional "received"
>lines to make it look like it's been routed through a number of servers,
>but that top one is difficult to manipulate unless they've hacked the
>mail server...
>
>So, if that "biz.rr.com" address is the only one (or the top one), then
>it is very likely that the message either came from there, or at least
>was relayed through their mailserver.
>
>
>Lars M. Hansen
>http://www.hansenonline.net
>(replace 'badnews' with 'news' in e-mail address)

Hi Lars,

I very much appreciate your help...

I want to make certain that I am understanding this
correctly:

Suppose I receive an email with a virus attachment. When I
look at the header, I should be looking for the IP address
closest to the bottom to see where the message started its
journey. Is that correct?

And also, you said that the top IP address would be
difficult to manipulate. But, what about the bottom one
(that is the IP address that is the sender's starting
point?) Would that be any easier to manipulate?

I am asking all this for a specific reason:

Months ago, I received many hundreds of emails each day that
had a version of the LOVGATE virus attached. Apparently,
that is a mass mailing worm that was going around at the
time.

Now, it is starting again. Currently, I receive about 25 of
these each day.

I have little reason to believe that these are being sent to
me maliciously. Rather, I assume that there is someone out
there who has an infected system.

If the starting IP address is difficult, or impossible to
manipulate, then it should be quite easy for me to contact
the appropriate folks and stop the impending flood.

Thanks again for your help,
  

-- 
Kenneth
If you email... Please remove the "SPAMLESS."

Relevant Pages

  • Re: Header manipulation...?
    ... are there possible manipulations that might ... As e-mail moves from server to server (and sometimes, ... Since this information is added by your mail server, ... is unlikely that there's any type of header manipulation going on, ...
    (comp.security.firewalls)
  • Re: Cannot create Word application object using remoting
    ... word document on the server and manipulate it? ... server though this shoudl work. ... > Dim app As Word.Application ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Distributing OWC11
    ... installation of the component on the server ... > fully satisifies licensing requirement. ... > or manipulated since it runs on the client. ... capture the image and manipulate the image as i see fit. ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: Cannot create Word application object using remoting
    ... I am trying to open a document on the server in order to manipulate it to ... It looks like the problem is caused by all remoting calls being sent to ... by using a Windows app instead of a console app as the remoting server so ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Crop Image
    ... You would have to manipulate the image on the server side. ... be done by doing a PostBack, altering the image, and using an ASPX page to ...
    (microsoft.public.dotnet.framework.aspnet)
Quantcast