[Dshield] X-Apparently-From accuracy?

ALEPH0 aleph0 at pacbell.net
Tue Sep 3 16:44:48 GMT 2002

X-* are user-defined headers.  Assuming the mail did really come from an AOL
MTA, I would expect it to be reliable and supportable by their own logs.  It
should be used to reports sources outside the SMTP protocol, like webmail
and things like that.  (However, POP and others often are just related as
Received headers.)

The assumption needs to be tested though.  Check the Received headers to
make sure they make sense.  If it is from AOL, make sure the first ADDRESS
(not reported hostname) is an AOL MTA.  Further, since some bad guys will
forge a history, you should expect that no intermeidary MTAs were used from
AOL to the edge of your organisation's regular SMTP mail path.  A spammer,
for instance, who forges a history coming from AOL would use an open relay
or their own host to mail to your receiving MTA.  You should only rely on
the veracity firs presented by yours.

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Preston G. Simpson
Sent: Tuesday, September 03, 2002 9:04 AM
To: list at dshield.org
Subject: [Dshield] X-Apparently-From accuracy?

	Does anyone have any data on how accurate the "X-Apparently-From" header
in messages from AOL is? Evidently, some unscrupulous person has gotten
hold of a list of addresses at the firm here and has been spamming
attorneys with messages forged to appear to be from other attorneys.
The same AOL address crops up in most of these messages under
X-Apparently-From, and we'd like to have some idea of how good a guess
this is before we consider any other action.
	I'd call AOL about this, but I didn't want to waste the next umpteen
hours of my life trying to explain what email is and how it works to the
"tech support" there if I didn't have to - ditto for any correspondence
with abuse@ or postmaster at .

--Preston G. Simpson
  IS Services
  preston.simpson at sfrlaw.com

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list