[Dshield] Email Header

john beck jbeck80 at hotmail.com
Mon Sep 29 13:48:25 GMT 2003

Thanks for excellent information.  I see from this example that some have 
private ip's in the header (HELO viper.incidents.org) ( or 
dshield.org (charlie []).  What are your thoughts on that?  Should 
those be changed (reconfig) not to give up any information of internal 
addressing?  I know I do not like to give up anything, but is the ROI worth 
the headache of reconfig?

John Beck

>From: "Doug White" <doug at clickdoug.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: "General DShield Discussion List" <list at dshield.org>
>Subject: Re: [Dshield] Email Header Date: Fri, 26 Sep 2003 18:40:51 -0500
>Here is the header information viewable by my email client for the message 
>just sent to the discussion list.  As you can see the message transited a 
>of places while various tasks were performed before passing it to the next 
>The indicated a transit through an internal proxy for tasks such 
>virus-scanning, etc.  This is a header that is RFC compliant, and anything
>(other than the X notations) could be considered a forgery, and with the
>increasing number of states outlawing header forgery, I believe that full 
>compliance will be forthcoming.  Not all servers add all this stuff, and 
>mail clients strip much of it before delivery.
>Received: from GULF.clickdoug.com [] by bayou with ESMTP
>   (SMTPD32-8.01) id AAAC1F5014E; Fri, 26 Sep 2003 18:24:28 -0500
>Received: from localhost (GULF [])
>  by GULF.clickdoug.com (Postfix) with ESMTP id 53DF23E007C
>  for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:28 -0500 (CDT)
>Received: from GULF.clickdoug.com ([])
>  by localhost (GULF.clickdoug.com []) (amavisd-new) with 
>  id 15258-20 for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:25 -0500 
>Received: from iceman.incidents.org (mail2.giac.net [])
>  by GULF.clickdoug.com (Postfix) with SMTP id A21F63E006C
>  for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:23 -0500 (CDT)
>Received: (qmail 32038 invoked from network); 26 Sep 2003 23:24:26 -0000
>Received: from chipper2-int (HELO viper.incidents.org) (
>   by 0 with SMTP; 26 Sep 2003 23:24:26 -0000
>Received: from localhost.localdomain (chipper2 [])
>  by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h8QNMNH21823;
>  Fri, 26 Sep 2003 19:22:23 -0400
>Received: from dshield.org (charlie [])
>  by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h8QLTtH28993
>  for <list at viper.uunet>; Fri, 26 Sep 2003 17:29:56 -0400
>Received: (qmail 27790 invoked from network); 26 Sep 2003 21:29:55 -0000
>Received: from mail2.giac.net (HELO iceman.incidents.org) (
>   by 0 with SMTP; 26 Sep 2003 21:29:55 -0000
>Received: (qmail 7008 invoked from network); 26 Sep 2003 21:29:55 -0000
>Received: from sea2-f58.sea2.hotmail.com (HELO hotmail.com) (
>   by 0 with SMTP; 26 Sep 2003 21:29:55 -0000
>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>   Fri, 26 Sep 2003 14:29:54 -0700
>Received: from by sea2fd.sea2.hotmail.msn.com with HTTP;
>  Fri, 26 Sep 2003 21:29:52 GMT
>X-Originating-IP: []
>X-Originating-Email: [jbeck80 at hotmail.com]
>From: "john beck" <jbeck80 at hotmail.com>
>To: list at dshield.org
>Date: Fri, 26 Sep 2003 16:29:52 -0500
>Mime-Version: 1.0
>Content-Type: text/plain; format=flowed
>Message-ID: <Sea2-F58fWOWTgROa8V0000fdfc at hotmail.com>
>X-OriginalArrivalTime: 26 Sep 2003 21:29:54.0237 (UTC)
>  FILETIME=[536F9ED0:01C38475]
>Old-X-Envelope-To: list at dshield.org
>X-Seen-By: bob list
>X-Envelope-To: UNKNOWN
>X-Mailman-Approved-At: Fri, 26 Sep 2003 19:16:15 -0400
>Subject: [Dshield] Email Header
>X-BeenThere: list at dshield.org
>X-Mailman-Version: 2.1
>Precedence: list
>Reply-To: General DShield Discussion List <list at dshield.org>
>List-Id: General DShield Discussion List <list.dshield.org>
>List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
>  <mailto:list-request at dshield.org?subject=unsubscribe>
>List-Archive: <http://www.dshield.org/pipermail/list>
>List-Post: <mailto:list at dshield.org>
>List-Help: <mailto:list-request at dshield.org?subject=help>
>List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
>  <mailto:list-request at dshield.org?subject=subscribe>
>Sender: list-bounces at dshield.org
>Errors-To: list-bounces at dshield.org
>X-Virus-Scanned: by amavisd-new & H+BEDV AntiVir
>X-RCPT-TO: <doug at clickdoug.com>
>Status: U
>X-UIDL: 364522135
>Stop spam on your domain, use our gateway!
>For hosting solutions http://www.clickdoug.com
>Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
>ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
>Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
>If you are not satisfied with my service, my job isn't done!
>----- Original Message -----
>From: "john beck" <jbeck80 at hotmail.com>
>To: <list at dshield.org>
>Sent: Friday, September 26, 2003 4:29 PM
>Subject: [Dshield] Email Header
>| I have an email header question.  This would pertain to "what is best
>| practice"?  Because they run an application firewall, and it has an smtp
>| daemon, which directs smtp traffic to a machine internally that sweeps 
>| malicious code, etc, then sends "cleansed email" on to email server which 
>| internal also.  The mail headers in conclusion have the internal 
>| of the mail server and sweeper.
>[ snip ]|
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Instant message with integrated webcam using MSN Messenger 6.0. Try it now 
FREE!  http://msnmessenger-download.com

More information about the list mailing list