Mailing List SIMS@mail.stalker.com Message #12493
From: Global Homes Webmaster <webmaster@globalhomes.com>
Subject: Re: Verifying return-paths
Date: Mon, 10 Feb 2003 11:45:06 -0800
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Mailsmith 1.5.4 (Blindsider)
On 02/10/03 at 09:55, Chris Wagner opined:

> I know that I have asked something along these lines before, but
> wanted to make sure that I am not misunderstanding this.
>
> If I have SIMS setup to verify return paths, can I assume that the
> mailbox SIMS says it's coming from is accurate and not spoofed in any
> way?

The 'Return-Path' header is not SIMS saying where the message came from.
The Return-Path is given to SIMS by the sending MTA (as the argument to its
MAIL-FROM command), which can give essentially anything that looks like an
e-mail address. In other words, it is trivially easy to forge. If 'Verify
Return-Paths' is enabled, SIMS does a DNS look-up of the domain name and
rejects the message if it can't find a valid A or MX record for it. It also
sends the address through the router and bounces the message if the address
is routed to 'error' or delivers it to the Great Void if it's routed to
'null'.

> The reason I ask is this - at least ONE of these accounts hasn't been
> used for a very long time, and is coming from a local provider,
> journey.com.
>
> I talked with the woman who owned that mailbox and she said she
> hasn't used that address in many months.

That's not at all surprising and doesn't mean much.

> I guess I'm trying to track down and see where these messages are
> REALLY coming from.

The Return-Path address given by the sending MTA doesn't necessarily have
anything to do with who actually sent the message. IIRC, some of the
viruses that send themselves out to a victim's address book also use
entries from the address book as Return-Paths. So the Return-Path doesn't
tell you much about the source except that it may have come from an
infected machine that had that address in its address book.

Instead of looking at the Return-Path, you should be looking at the
'Received' header line that was written by SIMS (the top-most Received
line). That shows the IP address of the MTA that relayed the message to
your server. It may not be the ultimate source of the message, but it's a
starting point.

I only really look at Return-Paths to see if they look like it would be any
use to route them to error.

> The attachments vary, from .scr to .bat, but the second file seems to
> be the same.
>
> It's called villamo32.html.
>
> Anyways, thanks in advance for your help.

--
                   Christopher Bort | cbort@globalhomes.com
            Webmaster, Global Homes | webmaster@globalhomes.com
                      <http://www.globalhomes.com/>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster