[Dshield] Email Header

Doug White doug at clickdoug.com
Mon Sep 29 17:33:23 GMT 2003


A loose description is that at hotmail, dshield, as well as my own mail system,
the mail moves around in the internal networks, each move adding a header line.

For instance hotmail receives all mail via 9 or 10 different servers, and moves
them to separate machines on their internal network to queue them up for smtp
delivery.   each move adds a header line.  When Dsheild receives it, it moves
through internal proxies, as well as internal network machines on their network,
probably virus scanning, spam filtering, or whatever, and then sends it to the
list server.   Each move through that system adds a header line.

Then when the mail is received by my gateway server [ gulf.clickdoug.com ] it is
routed through an internal proxy [ 127.0.0.1 ] where it is checked against
various dnsbl, and is virus scanned, then forwarded to my pop/SMTP server [
bayou].  Each move through my own network adds a header line.  My email client
collects from the bayou server.

I realize that for most email all this internal management is not of importance
to the recipient, it does comply with the rules for header information, and will
make a particular email readily traceable to the true sender.  Where the art
form comes in, is in email that is sent via bulk mailer software, that also adds
spoofed [ fraudulent ] header lines, and that is determining [ or making a best
guess ] as to which ones are legitimate and which lines are spoofed.

There generally is no need to obfuscate or hide internal (non-routable)
information, because an outside smtp server cannot directly address these
internal IP numbers in an attempt to by-pass the internal processing of mail.
Only the internal network can access or exchange information with others on the
internal network or proxy.

There are others, no doubt that can explain this in much more technical
geek-speak, but I think this is the gist.

----- Original Message ----- 
From: "john beck" <jbeck80 at hotmail.com>
To: <list at dshield.org>
Sent: Monday, September 29, 2003 8:48 AM
Subject: Re: [Dshield] Email Header


| Thanks for excellent information.  I see from this example that some have
| private ip's in the header (HELO viper.incidents.org) (10.36.0.2) or
| dshield.org (charlie [10.51.0.11]).  What are your thoughts on that?  Should
| those be changed (reconfig) not to give up any information of internal
| addressing?  I know I do not like to give up anything, but is the ROI worth
| the headache of reconfig?
|
| Thanks!
| John Beck
|
|
| >From: "Doug White" <doug at clickdoug.com>
| >Reply-To: General DShield Discussion List <list at dshield.org>
| >To: "General DShield Discussion List" <list at dshield.org>
| >Subject: Re: [Dshield] Email Header Date: Fri, 26 Sep 2003 18:40:51 -0500
| >
| >Here is the header information viewable by my email client for the message
| >you
| >just sent to the discussion list.  As you can see the message transited a
| >number
| >of places while various tasks were performed before passing it to the next
| >step.
| >The 127.0.0.1 indicated a transit through an internal proxy for tasks such
| >as
| >virus-scanning, etc.  This is a header that is RFC compliant, and anything
| >(other than the X notations) could be considered a forgery, and with the
| >increasing number of states outlawing header forgery, I believe that full
| >RFC
| >compliance will be forthcoming.  Not all servers add all this stuff, and
| >some
| >mail clients strip much of it before delivery.
| >
| >
| >==========================
| >Received: from GULF.clickdoug.com [66.139.91.41] by bayou with ESMTP
| >   (SMTPD32-8.01) id AAAC1F5014E; Fri, 26 Sep 2003 18:24:28 -0500
| >Received: from localhost (GULF [127.0.0.1])
| >  by GULF.clickdoug.com (Postfix) with ESMTP id 53DF23E007C
| >  for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:28 -0500 (CDT)
| >Received: from GULF.clickdoug.com ([127.0.0.1])
| >  by localhost (GULF.clickdoug.com [127.0.0.1:10027]) (amavisd-new) with
| >ESMTP
| >  id 15258-20 for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:25 -0500
| >(CDT)
| >Received: from iceman.incidents.org (mail2.giac.net [63.100.47.43])
| >  by GULF.clickdoug.com (Postfix) with SMTP id A21F63E006C
| >  for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:23 -0500 (CDT)
| >Received: (qmail 32038 invoked from network); 26 Sep 2003 23:24:26 -0000
| >Received: from chipper2-int (HELO viper.incidents.org) (10.36.0.2)
| >   by 0 with SMTP; 26 Sep 2003 23:24:26 -0000
| >Received: from localhost.localdomain (chipper2 [127.0.0.1])
| >  by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h8QNMNH21823;
| >  Fri, 26 Sep 2003 19:22:23 -0400
| >Received: from dshield.org (charlie [10.51.0.11])
| >  by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h8QLTtH28993
| >  for <list at viper.uunet>; Fri, 26 Sep 2003 17:29:56 -0400
| >Received: (qmail 27790 invoked from network); 26 Sep 2003 21:29:55 -0000
| >Received: from mail2.giac.net (HELO iceman.incidents.org) (63.100.47.43)
| >   by 0 with SMTP; 26 Sep 2003 21:29:55 -0000
| >Received: (qmail 7008 invoked from network); 26 Sep 2003 21:29:55 -0000
| >Received: from sea2-f58.sea2.hotmail.com (HELO hotmail.com) (207.68.165.58)
| >   by 0 with SMTP; 26 Sep 2003 21:29:55 -0000
| >Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
| >   Fri, 26 Sep 2003 14:29:54 -0700
| >Received: from 63.224.176.50 by sea2fd.sea2.hotmail.msn.com with HTTP;
| >  Fri, 26 Sep 2003 21:29:52 GMT
| >X-Originating-IP: [63.224.176.50]
| >X-Originating-Email: [jbeck80 at hotmail.com]
| >From: "john beck" <jbeck80 at hotmail.com>
| >To: list at dshield.org
| >Date: Fri, 26 Sep 2003 16:29:52 -0500
| >Mime-Version: 1.0
| >Content-Type: text/plain; format=flowed
| >Message-ID: <Sea2-F58fWOWTgROa8V0000fdfc at hotmail.com>
| >X-OriginalArrivalTime: 26 Sep 2003 21:29:54.0237 (UTC)
| >  FILETIME=[536F9ED0:01C38475]
| >Old-X-Envelope-To: list at dshield.org
| >X-Seen-By: bob list
| >X-Envelope-To: UNKNOWN
| >X-Mailman-Approved-At: Fri, 26 Sep 2003 19:16:15 -0400
| >Subject: [Dshield] Email Header
| >X-BeenThere: list at dshield.org
| >X-Mailman-Version: 2.1
| >Precedence: list
| >Reply-To: General DShield Discussion List <list at dshield.org>
| >List-Id: General DShield Discussion List <list.dshield.org>
| >List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
| >  <mailto:list-request at dshield.org?subject=unsubscribe>
| >List-Archive: <http://www.dshield.org/pipermail/list>
| >List-Post: <mailto:list at dshield.org>
| >List-Help: <mailto:list-request at dshield.org?subject=help>
| >List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
| >  <mailto:list-request at dshield.org?subject=subscribe>
| >Sender: list-bounces at dshield.org
| >Errors-To: list-bounces at dshield.org
| >X-Virus-Scanned: by amavisd-new & H+BEDV AntiVir
| >X-RCPT-TO: <doug at clickdoug.com>
| >Status: U
| >X-UIDL: 364522135
| >
| >==========================================
| >
| >======================================
| >Stop spam on your domain, use our gateway!
| >For hosting solutions http://www.clickdoug.com
| >Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
| >ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
| >Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
| >======================================
| >If you are not satisfied with my service, my job isn't done!
| >
| >----- Original Message -----
| >From: "john beck" <jbeck80 at hotmail.com>
| >To: <list at dshield.org>
| >Sent: Friday, September 26, 2003 4:29 PM
| >Subject: [Dshield] Email Header
| >
| >
| >| I have an email header question.  This would pertain to "what is best
| >| practice"?  Because they run an application firewall, and it has an smtp
| >| daemon, which directs smtp traffic to a machine internally that sweeps
| >for
| >| malicious code, etc, then sends "cleansed email" on to email server which
| >is
| >| internal also.  The mail headers in conclusion have the internal
| >addresses
| >| of the mail server and sweeper.
| >|
| >[ snip ]|
| >
| >_______________________________________________
| >list mailing list
| >list at dshield.org
| >To change your subscription options (or unsubscribe), see:
| >http://www.dshield.org/mailman/listinfo/list
|
| _________________________________________________________________
| Instant message with integrated webcam using MSN Messenger 6.0. Try it now
| FREE!  http://msnmessenger-download.com
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|




More information about the list mailing list