Mailing List SIMS@mail.stalker.com Message #5690
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Can IP's be forged in SIMS logs?
Date: Thu, 30 Mar 2000 23:47:29 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
>Please let me know if I misunderstand these points about forged headers:
>
>1.)
>
>Email headers can be forged, so my guess is that you cannot trust any
>"Received:" lines prior to the one your own server added.

Right. You have to determine how well you trust the previous MTA (usually
not much, but maybe enough that it didn't totally fake the header) before
you try to  track back from the Received header SIMS added.

>
>2.)
>
>Now, for the most recent "Received" only, the IP number within brackets
>(such as "[207.46.181.26]") is trustworthy, but any domain names are
>not.

Right.

>3.)
>
>Let's say something is forged, will my SIMS log show the true or forged
>IP?

The true one. Theoretically someone could use IP spoofing for sending
e-mail, but it would be quite a waste of a very complicated trick. I've
never heard a credible claim of anyone using IP spoofing to spam, or even
to manage what looks like a normal TCP session outside of a demo
environment set up to prove the theory.

>
>4.)
>
>The arin.net database shows MicroSoft to own the IP.  So, if I am
>understanding this correctly, was this particular SPAM relayed by MSN to
>my server, even if parts of the header could be forged?

Yes.


--
Bill Cole

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster