[Dshield] Email Header

Kane Wong kwong at cwalkergroup.com
Mon Sep 29 16:23:25 GMT 2003

Are you using Microsoft Exchange server?

-----Original Message-----
From: john beck [mailto:jbeck80 at hotmail.com]
Sent: Friday, September 26, 2003 2:30 PM
To: list at dshield.org
Subject: [Dshield] Email Header 

I have an email header question.  This would pertain to "what is best 
practice"?  Because they run an application firewall, and it has an smtp 
daemon, which directs smtp traffic to a machine internally that sweeps for 
malicious code, etc, then sends "cleansed email" on to email server which is 
internal also.  The mail headers in conclusion have the internal addresses 
of the mail server and sweeper.

Email originating from "company" going out to the Internet contains 
information about the Internal IP address of the mail server. This provides 
additional information about the internal layout, as well as provide 
information about the email server including manufacturer AND VERSION. The 
information below is an example of such revealed including the internal IP 
ADDRESSES of "company" firewall, the internal SMTP Server, the SMTP server 
version and make. Any and all of this information would help a hacker to 
formulate their means of attack against the SMTP server.

Received:  from InternetFirewall.xxxx.com ([])          by 
xxx.xxxx.com (Lotus Domino Release 5.0.12)          with ESMTP id 
2003091709334798:6523 ;          Wed, 17 Sep 2003 09:33:47 -0500
Received:  from mailfilter.xxxx.com by InternetFirewall.xxxx.com          
via smtpd (for xxx.xxxx.com []) with ESMTP; Wed, 17 Sep 2003 
09:21:48 -0500
Received:  from ntfw1.xxxx.com (sea2-f56.sea2.hotmail.com []) 
by mailfilter.xxxx.com (Content Technologies SMTPRS 4.3.10) with ESMTP id 
<T64bb4eadffc0a8b415490 at mailfilter.xxxx.com> for <john_beck at xxxx.com>; Wed, 
17 Sep 2003 09:33:45 -0500
Received:  from sea2-f56.sea2.hotmail.com ([]) by 
ntfw1.xxxx.com          via smtpd (for mailfilter.xxxx.com []) 
with ESMTP; Wed, 17 Sep 2003 09:21:33 -0500
Received:  from mail pickup service by hotmail.com with Microsoft SMTPSVC;

Wed, 17 Sep 2003 07:34:23 -0700
Received:  from (external ip address) 63.x.x.50 by 
sea2fd.sea2.hotmail.msn.com with HTTP;	Wed, 17 Sep 2003 14:34:22 GMT
X_Originating_IP:  [63.x.x.50]

I have examined email headers from other systems and see that some 
information is inheirant.
What is "Best Practice" for proper email header.  I would like external ip 
address to show up, but that will take a bit of re-configuring.  The people 
that did security assessment before I came brought this to attention, but 
offered no solution to resolve.  I appreciate any and all assistance.

Thank You
John Beck

Instant message with integrated webcam using MSN Messenger 6.0. Try it now 
FREE!  http://msnmessenger-download.com

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list