Subject: Re: OT GCI E-Mail
From: Christopher E. Brown (cbrown@woods.net)
Date: Wed Apr 30 2003 - 00:47:34 AKDT
On Tue, 29 Apr 2003, Mike Tibor wrote:
> Greg, you need to look somewhat beyond the To: header in order to identify
> the origin of spam. To be honest, the To: header hasn't the slightest
> thing to do with the origin of any email, and why should it? It relates
> to the destination, not the origin. Even the From: header is completely
> untrustworthy when trying to determine the origin of email, because it is
> trivially forged.
>
> The *only* way to trace the path of any email message is via the Received:
> headers.
>
> Mike
And unfort Received headers can only be trusted as much as you trust
the server. One assumes you trust the last one (after all you trust
it to receive your mail), and that points you at the one before it (at
least it's IP addr), and if you trust *that* server it points to the
one before it... *very often* when the SPAMmer injects a message it
already has several sets of forged Received headers, and the actual
injection point is at one of the IPs in the middle, rather than the
supposed source point.
Also, one should pay attention to the IPs (only) of the Received
headers from servers you trust. Most current mail servers can be
configured to only accept messages from servers with valid forward and
reverse DNS for the connecting IP, and where the hostname in the
HELO/EHLO statement matches DNS. Unfort, for many reasons (largly
cluebee mail admins, but also including issues with SWIPing/etc with
upstreams) this would meen blocking at least 30% of the servers on the
net.
What has become common is insisting on a FQDN on the HELO/EHLO (it
tends to filter out the completely and hopelessly cluelessly admined
systems and crappy SPAMware), and so SPAMware has started giving an IP
in the HELO/EHLO where it is treated as a machine name (IPs must be
enclosed within [] anything else is a literal text string, and only
text strings are allowed in HELO/EHLO).
So instead of a header like
Received: from asimov.lib.uaa.alaska.edu (asimov.uaa.alaska.edu [137.229.168.41])
by c.smtp.woods.net (Postfix) with ESMTP id 581CE6F2A
for <cbrown@woods.net>; Wed, 30 Apr 2003 01:51:12 -0600 (MDT)
We might see
Received: from 209.112.170.1 (unknown [204.42.254.5])
by c.smtp.woods.net (Postfix) with ESMTP id 581CE6F2A
for <cbrown@woods.net>; Wed, 30 Apr 2003 01:51:12 -0600 (MDT)
or the more common
Received: from mx1.yahoo.com (unknown [204.42.254.5])
by c.smtp.woods.net (Postfix) with ESMTP id 581CE6F2A
for <cbrown@woods.net>; Wed, 30 Apr 2003 01:51:12 -0600 (MDT)
Confusing at first glance, but the first bit is from what the remote
server gave in the HELO/EHLO statement, untrusted data. Since a
dotted quad ipv4 addr passes the format check for a FQDN most systems
will pass it as a text literal (an actual IP within a message header
should always be enclosed in []). And while we could check to see if
the domain given in the HELO exists we cannot expect it to match the
IP connecting without block *alot* of non SPAM. Just another SPAMmer
trick to point you in the wrong direction, looking at 209.112.170.1 or
mx1.yahoo.com (supplied by the remote server) instead of (unknown
[204.42.254.5]) (properly formatted and supplied by the local).
Arghhhh....
-- I route, therefore you are.--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Apr 30 2003 - 00:45:55 AKDT