Re: Decoding Internet headers in email
From: N. Miller (anonymous_at_discussions.microsoft.com)
Date: 01/27/05
- Next message: N. Miller: "Re: Hot Mail Staff"
- Previous message: Steven L Umbach: "Re: Port management , closing ports from intrusion"
- Next in thread: Alun Jones [MSFT]: "Re: Decoding Internet headers in email"
- Reply: Alun Jones [MSFT]: "Re: Decoding Internet headers in email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 22:45:21 -0800
In article <#rIN7rS4EHA.936@TK2MSFTNGP12.phx.gbl>, Alun Jones [MSFT] says...
> "N. Miller" <anonymous@discussions.microsoft.com> wrote in message
> news:MPG.1c26e46621de82ec98a540@msnews.microsoft.com...
> > No. The only line that can't be spoofed is the one written by your server
> > when it identifies the IP address of the sending server. Everything else
> > is trivially faked or forged.
> Even some of that information is spoofable.
But not, as I mentioned, the IP address.
> Usually such a header contains the name that the sending client gave to
> the SMTP server, the IP address of the sending client, and the name of
> the receiving server. The IP address and receiver's name are reliable...
The IP address is that which I mentioned.
> ...the IP address is required to be true when connecting (*)...
That is not so much a "requirement" as a fact of the MX operation. Unless
the MX is configured otherwise, it will note the IP address of the SMTP
client making the connection. It just happens.
> ...and the receiver's name is configured in your SMTP server.
Not that I am aware of. The SMTP server may run a DNS lookup to determine
the name of the incoming connection. It can't know the name of the incoming
connection otherwise. Well, unless it builds a huge database, which would
need constant updates to keep up with DNS changes. But why do that when the
server can just query the DNS system?
> The name the client gives to the server, however, could be
> anything, and some spammers forge it to confuse you if you're reading the
> headers, by putting in what looks like the source IP address part of the
> string. So, you might get "Received-From:
> Nice-site.example.com[10.1.1.25]_by_yourserver.example.com (192.168.5.4) by
> yourserver.example.com" - in that case, the name the spammer gave was
> "Nice-site.example.com[10.1.1.25]_by_yourserver.example.com", its IP address
> is 192.168.5.4, and your mail server is yourserver.example.com. But you
> might be fooled into believing that the spammer was coming from 10.1.1.25.
None of which I dispute; but I did mention that only the IP address is not
spoofable. Well, there would be no point in trying to spoof the IP address
because the MX would try to complete the TCP handshake with the spoofed IP
address, and the spoofer would never see the results of the SMTP
transaction.
> Reading email headers is an art, and you should use email headers as
> information to determine who to complain to, never to launch a retributive
> attack.
I don't recall saying anything about retribution. I do agree that reading
headers can be tricky. It helps to know your own mail hosts; otherwise you
can't be sure of anything about the headers that you see. The only reasons
to even bother learning to interpret headers is to set up client filters, if
your client is more capable than MS Outlook Express, and find out where to
lodge complaints.
-- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint
- Next message: N. Miller: "Re: Hot Mail Staff"
- Previous message: Steven L Umbach: "Re: Port management , closing ports from intrusion"
- Next in thread: Alun Jones [MSFT]: "Re: Decoding Internet headers in email"
- Reply: Alun Jones [MSFT]: "Re: Decoding Internet headers in email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
