Re: It's driving me crazy!

From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 10/28/03 

Date: Tue, 28 Oct 2003 17:18:10 GMT

In article <uPQOCFWnDHA.1728@TK2MSFTNGP09.phx.gbl>, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:
>Petition your ISP to install anti virus software on their email servers.

Oh, and make sure that they scan _outgoing_ email (connections to port 25)
as well as incoming. And when they detect outgoing viruses, they need to
block that user's ability to send email until such time as the user has
cleaned up their infection.

I'm still getting way too much sweN-mail, and it's obvious that there are
some ISPs out there who aren't getting it. Here's a sample list of ISPs
that have infected users:

tiscali.it
9tel.net
cswnet.com
tin.it
ev1.net
swbell.net
utfors.se
bezeqint.net
eircom.net
nsk.su
hinet.net (hardly a surprise)
oemgrp.com

That was just from a quick look at the "Received" headers in the first
twenty of my captured sweN emails. I'm a little surprised that these are
not all the small outfits I was expecting. You can do the same sort of
detective work for yourselves. Look at the headers of the message (each
mailer has a different way of doing this, in MS Outlook, you need to "View
Options" on the message. The first header is a "Received" header. It is
placed there by your mail server, and it tells you what system sent the mail
to it. You can trust most of what this header tells you. Here's an
example:

Received: from mail15a.boca15-verio.com (207.201.145.93)
        by mail01d.rapidsite.net (RS ver 1.0.88vs) with SMTP id 1-0378367821
        for <end-recipient>; Tue, 28 Oct 2003 11:17:01 -0500 (EST)

[I've removed the email address and replaced it with "end-recipient".]

Notice a few things here - the first is that this was received from IP
address 207.201.145.93. The server at that address _claimed_ that it was
"mail15a.boca15-verio.com". This could have been forged, but as it turns
out, it wasn't. The time and date stamp are also important, as they tell
you exactly when the email hit the server.

If you're like me, this header isn't the whole of the story. This message
was sent to my "texis.com" address, and forwarded to the end-recipient
address. mail15a.boca15-verio.com is an email server that works for me to
send messages on to my final address (which is hosted at rapidsite.net).

So, we have to look at the next Received header:

Received: from mail-3.tiscali.it (195.130.225.149)
        by mail15a.boca15-verio.com (RS ver 1.0.87vs) with SMTP id
2-0303087807
        for <alun@texis.com>; Tue, 28 Oct 2003 11:16:48 -0500 (EST)

Again, since mail15a.boca15-verio.com works for me, we can trust this
header. We know that the system 195.130.225.149 sent us this message. It
_claims_ to be mail-3.tiscali.it. A quick 'tracert' verifies that this is
true. This is the outgoing mail server for the user that sent this mail.

There's a Received header after that, though:

Received: from qccy (217.133.158.42) by mail-3.tiscali.it (6.7.019)
        id 3F93DB03006787D4; Tue, 28 Oct 2003 17:14:30 +0100

A 'tracert' to 217.133.158.42 reveals that "qccy" is a made-up name (not
that that's a surprise!), and this is actually one of Tiscali's ADSL users.
That's who has the infection here. But we don't know which one of Tiscali's
ADSL users that is, so we have to contact postmaster@tiscali.it, or
abuse@tiscali.it in order to pass them the headers of this message, so that
they can investigate who was using that address at the time, and can
disinfect them.

That's a brief primer on tracing through "Received" headers. Remember that
each Received header goes on top of the one before it, and a mail sender or
intermediate server could quite easily pass on faked Received headers. A
sanity check against time information, or names of servers passed through,
can be useful to determine what's forgery, and what's not. Assume that you
can trust your ISP's Received headers, but each step you take further away
leads you to trust the header less.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • [NT] Port80 Software ServerMask Inconsistencies
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IIS servers by obfuscating header fields within HTTP responses: ... "ServerMask 2.0 removes or modifies unnecessary response data. ... provide reliable clues to the server being Microsoft IIS. ...
    (Securiteam)
  • Re: minimal httpd response
    ... RST, abortively closing the connection. ... The responsibilities of an HTTP/1.1 proxy, and of an HTTP/1.1 server ... user agent, without a proxy, first, and then try to deal ... Connection header; with a Content-length header; or with the chunked ...
    (comp.programming)
  • Re: I want my MOM
    ... >> 5) Require that the header MUST have the content-length ... >> again slam the server with never ending data until it dies. ... server to have a reason to boot bad clients. ... Another thing a pre-sized protocol does is make it much harder to have ...
    (comp.lang.ruby)
  • Re: MimeOLE V6.00.2900.2180 creates incorrect X- header
    ... from Server, such as move to another folder, does ... engine loops when it encounters the defective empty header when it ... the POP3 server sends a period on a line by ... The search for the final header loops because of the malformed EOM ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • PHPs mail(): proper way to send a From header
    ... I got some crazy response from the server after sending this the first time.** ... additional 'From' header so the email doesn't appear to come from the ... I am getting bounce emails from certain ISPs (AOL, Roadrunner, some ...
    (php.general)