Mailing List SIMS@mail.stalker.com Message #5689
From: <eric@micromaniac.com>
Subject: Can IP's be forged in SIMS logs?
Date: Thu, 30 Mar 2000 18:34:01 -0800
To: <sims@mail.stalker.com>
X-Mailer: Mozilla 4.7 (Macintosh; I; PPC)
Please let me know if I misunderstand these points about forged headers:

1.)

Email headers can be forged, so my guess is that you cannot trust any
"Received:" lines prior to the one your own server added.

2.)

Now, for the most recent "Received" only, the IP number within brackets
(such as "[207.46.181.26]") is trustworthy, but any domain names are
not.

Here're the actual Received lines (with slight abbreviations on the
other lines):

Return-Path: vmfk@msn.com
Received: from [207.46.181.26] (HELO smtp.email.msn.com) by
vi-216-128-27-155-covad.anhm.firstworld.net (Stalker SMTP Server 1.8b8)
with ESMTP id S.0000034121 for <eric@velona.com>; Wed, 29 Mar 2000
17:24:52 -0800
Received: from rocconet - 63.15.214.195 by email.msn.com with Microsoft
SMTPSVC; Wed, 29 Mar 2000 17:19:19 -0800
To: Busopp@aol.com
BCC: *** the BCC's were for eric@ several domains including one of mine
***
From: <vmfk@msn.com>

(I named my server "vi-216..bla-bla-bla..firstworld.net" because I have
not yet asked my ISP to change the reverse look-ups.)

3.)

Let's say something is forged, will my SIMS log show the true or forged
IP?

Here's the actual log:

17:24:36 4 SMTP(tcp) Connection request from
[207.46.181.26:3681],seq=673, 8/9
17:24:36 4 SMTP Line 869 created for answering
17:24:36 4 SMTP-869() Got connection from [207.46.181.26:3681]
17:24:36 4 SMTP(tcp) Connection accepted from [207.46.181.26:3681],
seq=673, 8/9
17:24:36 4 SMTP-869([207.46.181.26]) Sending 220-Stalker Internet Mail
Server V.1.8b8 is ready.\r\n220 ESMTP is spoken here. You are
welcome\r\n
17:24:36 4 SMTP-869([207.46.181.26]) Looking for
26.181.46.207.rbl.maps.vix.com
17:24:36 4 SMTP-869([207.46.181.26]) Looking for
26.181.46.207.relays.mail-abuse.org
17:24:36 4 SMTP-869([207.46.181.26]) Input Line: EHLO
smtp.email.msn.com\r
17:24:36 4 SMTP-869(smtp.email.msn.com) Looking for smtp.email.msn.com
17:24:51 0 SYSTEM The current date is Wednesday, March 29, 2000
17:24:52 4 SMTP-869(smtp.email.msn.com) Sending
250-vi-216-128-27-155-covad.anhm.firstworld.net your name is not
smtp.email.msn.com\r\n250-HELP\r\n250-PIPELINING\r\n250-ETRN\r\n250
EHLO\r\n
17:24:52 4 SMTP-869([207.46.181.26]) Input Line: MAIL
FROM:<vmfk@msn.com>\r
17:24:52 4 SMTP-869([207.46.181.26]) Sending 250 <vmfk@msn.com> sender
accepted\r\n
17:24:52 4 SMTP-869([207.46.181.26]) Input Line: RCPT
TO:<eric@velona.com>\r
17:24:52 4 SMTP-869([207.46.181.26]) Sending 250 <eric@velona.com>
recipient accepted\r\n
17:24:52 4 SMTP-869([207.46.181.26]) Input Line: DATA\r
17:24:52 4 SMTP-869([207.46.181.26]) Sending 354 Enter mail, end with
"." on a line by itself\r\n
17:24:52 2 SMTP-869([207.46.181.26]) {S.0000034121} received, 1367 bytes

17:24:52 4 SMTP-869([207.46.181.26]) Sending 250 S.0000034121 message
accepted for delivery\r\n
17:24:52 2 SYSTEM [S.0000034121]
<094b51919011e30CPIMSSMTPU01@email.msn.com> 0+1 From:vmfk@msn.com
17:24:52 2 SYSTEM(POP) [S.0000034121] delivered to (eric)eric
17:24:52 2 SYSTEM [S.0000034121] deleted
17:24:52 4 SMTP-869([207.46.181.26]) Input Line: QUIT\r
17:24:52 4 SMTP-869([207.46.181.26]) Sending 221
vi-216-128-27-155-covad.anhm.firstworld.net closing connection\r\n
17:24:52 4 SMTP-869([207.46.181.26]) Closing
17:24:52 4 SMTP-869([207.46.181.26]) Nothing read - stream closed
17:24:52 4 SMTP-869([207.46.181.26]) Input Stream ended
17:24:52 3 SMTP-869([207.46.181.26]) Abort Received, reason=22651340
17:24:52 4 SMTP disposing line 869

4.)

The arin.net database shows MicroSoft to own the IP.  So, if I am
understanding this correctly, was this particular SPAM relayed by MSN to
my server, even if parts of the header could be forged?

Thanks!  Eric.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster