Re: Is this to say email source is not all it is cracked up to be?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/20/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Wed, 19 Feb 2003 22:53:15 -0500

Well, the government can do it, but you and I can't. The law enforcment
arms of the US government [police, FBI, CIA, Secret Service, etc.] can
strongarm and otherwise convince major ISPs like AOL to install data
sniffers/crunchers like Carnivore when they clearly don't want to do so, and
they can get court subpoenas to force an ISP to research what IP address
connected to their mail server, but you can't. The problem usually isn't
that no one knows what the IP address is, but that you don't have enough
power to force the relevant ISP to look it up.

One of the aggravating factors is that there are and always will be millions
of unsecured computers all over the world waiting for people to control them
remotely. A typical exploit here is not exactly forging the IP address, but
in telnetting or otherwise connecting to a wide open computer in another
country, and using that computer to attack and control another computer, and
so on, so that you have to force each ISP in the chain to help you look up
what IP address was controlling that computer at the time, until you run
into an ISP that can't or won't help. It's important to note that this
isn't even a vulnerability of SMTP... none of this is logged in the email
headers by design, because these aren't SMTP connections. So really, while
SMTP email headers can be forged, IMHO this isn't the largest problem here.

Another aggravating factor is that there are web-based email systems out
there where you can post email, and the source IP address given for the
email is the IP address of the web server providing this service. It's
pretty similar to the way when people post to this newsgroup using the web
interface at www.microsoft.com/support... their IP address is always listes
as the Microsoft nonroutable 10.x.x.x address. You and I can never know who
really posted that message, but Microsoft does. Some of the sites that
provide free email services like this provide them as "anonymizers," and
these sites will avoid having to give out the IP address of the person that
sent the message.

[SMTP headers are not really that hard to investigate, it's not magic.
Although a hacker can add bogus IP addresses and server names to the bottom
of the list, sooner or later one of the IP addresses in the list of servers
is a real one that actually passed the email in question. You can try to
determine this by, among other things, doing a ping -a on the IP given,
and pinging the server name given, and see if they seem to be related or
unrelated or nonexistant. That's when you run into the previously mentioned
problems where you have to contact that ISP to see if they will tell you
from their SMTP server logs what IP address was used to send the email.
Note again that SMTP is logging the IP address of the person who sent it,
even though YOU don't have easy access to that information.]

Lastly, once they find the person, there may not be laws in that person's
country to prosecute. Even with the authors of major viruses, they are
frequently unable to prosecute or do anything due to lack of relevant laws
in that country.

"George Hester" <hesterloli@hotmail.com> wrote in message
news:eLtyR3H2CHA.1624@TK2MSFTNGP09.phx.gbl...
Yes I thought of that with the post office. The UnaBomber went for a very
long time. But it does seem to me that forged IP addresses are one sure way
to make sure no government has a prayer in tracking down email to their
source. Actually I do not believe that but I guess many do. Thanks for
your insight.

Relevant Pages

  • RE: SMTP Stopped working
    ... I think we need to find out whether your ISP is actually going to forward ... to the intended relay server. ... You mentioned that Outlook and Outlook Express work. ... When testing with Outlook Express are you providing the ISP's SMTP server? ...
    (microsoft.public.exchange.connectivity)
  • Re: SBS2003 - Exchange config
    ... > forget about forwarding all of your email to your ISP? ... > inbound email will simply sit on the ISP's mail server ... >>SMTP smart host does a lot of other things, ...
    (microsoft.public.windows.server.sbs)
  • Re: Is this to say email source is not all it is cracked up to be?
    ... > power to force the relevant ISP to look it up. ... because these aren't SMTP connections. ... > SMTP email headers can be forged, IMHO this isn't the largest problem here. ... > email is the IP address of the web server providing this service. ...
    (microsoft.public.security)
  • Re: Need some (lots) of help on SBS 2003
    ... with 3 PCs connected to an SBS 2003 server. ... turned off the SMTP service at least to get a bit of head room. ... ISP provides email via POP.blahdeblah.com & SMTP.blahdeblah.com. ... What I want to do is either a) change the exchange server to use the ...
    (microsoft.public.windows.server.sbs)
  • Re: OT - What is the proper netiquette?
    ... up a mail server and forget about your ISP. ... Why forget about your ISP? ... Because if I caught you running an SMTP ... There are laws about this. ...
    (alt.os.linux)