Re: [PLUG] spoofing

gabriel rosenkoetter on Mon, 30 Sep 2002 16:41:08 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spoofing

From: gabriel rosenkoetter <gr@eclipsed.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] spoofing

Date: Mon, 30 Sep 2002 16:40:38 -0400

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.4i

On Mon, Sep 30, 2002 at 02:40:37PM -0400, Jason wrote: > Forged spam is a definite problem, and sometimes your email address may be > used as the forged sender when sent to others. This is a really big problem > if your email server is being used as an "open relay". Um. Those two things are completely unrelated. I can give whatever address I like as an argument to MAIL FROM: when I'm talking to your SMTP (or, really my own) server. If you want me to, I'll prove to you by sending email from you to you from my MX (uriel.eclipsed.net, go ahead and test it for relaying, it doesn't). Better yet, test this yourself. Set up a hotmail account, then telnet to port 25 of (one of) Hotmail's mail exchanger(s). For extra points, telnet for a shell account on a system other than where you actually receive mail. Issue these commands: EHLO <your local host> MAIL FROM: Jason <jason@nocks.com> RCPT TO: <account>@hotmail.com DATA Subject: whee, faked source address blah blah . QUIT Note that the mail received on Hotmail appears to be from you, even though it wasn't sent in the usual fashion (or from the "right" place). Now examine the full headers (if Hotmail even lets you do that), and notice that the source IP address that originally made the connection to Hotmails mail exchanger was, in fact logged and has, in fact, nothing to do with nocks.com's mail exchanger. Tracing things by email address is silly and useless. Tracing them by Recieved: headers works some times, but those are easily spoofed as well (they're just text in a message!). You're best off going the next hop back and examining log files until you get where you're going. > If you use fetchmail, then if there is a problem, it is most > likely your ISP's concern, assuming you have adequate firewall > protection around your local email server. No, it's most likely no one's concern. There is no reason that Art's mail server needs to be even remotely involved for email to appear to come from him. This is why we use digital encryption algorithms for authentication; source addresses are totally meaningless. IP addresses still bear a little bit of weight, but email addresses bear none at all. Unless it's digitally signed, there's no way to prove a given person sent something that it appears they sent, and it is demonstrably simple to prove that faking it was possible. No court would let anything fly based on a source email address. (Cf, topical /. headline today.) -- gabriel rosenkoetter gr@eclipsed.net
Attachment: pgpcTc0IgHPvP.pgp
Description: PGP signature

Follow-Ups:

Re: [PLUG] spoofing
From: gabriel rosenkoetter <gr@eclipsed.net>

Re: [PLUG] spoofing
From: "Arthur S. Alexion" <arthur@alexion.com>

References:

RE: [PLUG] spoofing
From: "Bradley Molnar" <brmolnar@ursinus.edu>

Re: [PLUG] spoofing
From: "Arthur S. Alexion" <arthur@alexion.com>

Re: [PLUG] spoofing
From: Jason <jason@nocks.com>

Prev by Date: Re: [PLUG] CD Burner Recommendations

Next by Date: Re: [PLUG] spoofing

Previous by thread: Re: [PLUG] spoofing

Next by thread: Re: [PLUG] spoofing

Index(es):

Date

Thread