Mailing List Message #5694
From: Cerebus D Aardvark <>
Subject: Re: Can IP's be forged in SIMS logs?
Date: Fri, 31 Mar 2000 11:03:57 -0700
To: SIMS Discussions <>
Please let me know if I misunderstand these points about forged headers:


Email headers can be forged, so my guess is that you cannot trust any
"Received:" lines prior to the one your own server added.


Now, for the most recent "Received" only, the IP number within brackets
(such as "[]") is trustworthy, but any domain names are

Not necessarily.  If the IP address is listed with the domain, then the domain is trustworthy.  If the IP address is listed with (HELO domain.dom) then the domain MAY be untrustworthy.

There are perfectly good and logical reasons that a mailserver may claim another name.

Received: from [] (HELO by

This means that does not lookup to . In fact, it is, probably one of several servers that use as their HELO name.

Let's say something is forged, will my SIMS log show the true or forged

SIMS shows the ACTUAL Ip that connected.

17:24:36 4 SMTP-869() Got connection from []

This is the real and true IP that connected to you machine.

The database shows MicroSoft to own the IP.  So, if I am
understanding this correctly, was this particular SPAM relayed by MSN to
my server, even if parts of the header could be forged?

All you can say is that this SPAM came to your machine via It may have originated there.  But it was delivered to you by  It looks to me like the email actually originated with msn.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster