Mailing List SIMS@mail.stalker.com Message #5694
From: Cerebus D Aardvark <kreme@kreme.com>
Subject: Re: Can IP's be forged in SIMS logs?
Date: Fri, 31 Mar 2000 11:03:57 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
Please let me know if I misunderstand these points about forged headers:

1.)

Email headers can be forged, so my guess is that you cannot trust any
"Received:" lines prior to the one your own server added.

2.)

Now, for the most recent "Received" only, the IP number within brackets
(such as "[207.46.181.26]") is trustworthy, but any domain names are
not.

Not necessarily.  If the IP address is listed with the domain, then the domain is trustworthy.  If the IP address is listed with (HELO domain.dom) then the domain MAY be untrustworthy.

There are perfectly good and logical reasons that a mailserver may claim another name.

Return-Path: vmfk@msn.com
Received: from [207.46.181.26] (HELO smtp.email.msn.com) by

This means that 207.46.181.26 does not lookup to smtp.email.msn.com . In fact, it is cpimssmtpu01.email.msn.com, probably one of several servers that use smtp.email.msn.com as their HELO name.

Let's say something is forged, will my SIMS log show the true or forged
IP?

SIMS shows the ACTUAL Ip that connected.

17:24:36 4 SMTP-869() Got connection from [207.46.181.26:3681]

This is the real and true IP that connected to you machine.

The arin.net database shows MicroSoft to own the IP.  So, if I am
understanding this correctly, was this particular SPAM relayed by MSN to
my server, even if parts of the header could be forged?

All you can say is that this SPAM came to your machine via msn.com. It may have originated there.  But it was delivered to you by msn.com.  It looks to me like the email actually originated with msn.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster