[Dshield] Email Header

john beck jbeck80 at hotmail.com
Mon Sep 29 18:00:35 GMT 2003


Thanks for reply, but no MS, it is ibm lotus notes v5.012

John


>From: "Kane Wong" <kwong at cwalkergroup.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: "General DShield Discussion List" <list at dshield.org>
>Subject: RE: [Dshield] Email Header Date: Mon, 29 Sep 2003 09:23:25 -0700
>
>Are you using Microsoft Exchange server?
>
>-----Original Message-----
>From: john beck [mailto:jbeck80 at hotmail.com]
>Sent: Friday, September 26, 2003 2:30 PM
>To: list at dshield.org
>Subject: [Dshield] Email Header
>
>
>I have an email header question.  This would pertain to "what is best
>practice"?  Because they run an application firewall, and it has an smtp
>daemon, which directs smtp traffic to a machine internally that sweeps for
>malicious code, etc, then sends "cleansed email" on to email server which 
>is
>internal also.  The mail headers in conclusion have the internal addresses
>of the mail server and sweeper.
>
>Email originating from "company" going out to the Internet contains
>information about the Internal IP address of the mail server. This provides
>additional information about the internal layout, as well as provide
>information about the email server including manufacturer AND VERSION. The
>information below is an example of such revealed including the internal IP
>ADDRESSES of "company" firewall, the internal SMTP Server, the SMTP server
>version and make. Any and all of this information would help a hacker to
>formulate their means of attack against the SMTP server.
>
>Received:  from InternetFirewall.xxxx.com ([192.168.2.2])          by
>xxx.xxxx.com (Lotus Domino Release 5.0.12)          with ESMTP id
>2003091709334798:6523 ;          Wed, 17 Sep 2003 09:33:47 -0500
>Received:  from mailfilter.xxxx.com by InternetFirewall.xxxx.com
>via smtpd (for xxx.xxxx.com [192.168.100.27]) with ESMTP; Wed, 17 Sep 2003
>09:21:48 -0500
>Received:  from ntfw1.xxxx.com (sea2-f56.sea2.hotmail.com [207.68.165.56])
>by mailfilter.xxxx.com (Content Technologies SMTPRS 4.3.10) with ESMTP id
><T64bb4eadffc0a8b415490 at mailfilter.xxxx.com> for <john_beck at xxxx.com>; Wed,
>17 Sep 2003 09:33:45 -0500
>Received:  from sea2-f56.sea2.hotmail.com ([207.68.165.56]) by
>ntfw1.xxxx.com          via smtpd (for mailfilter.xxxx.com 
>[192.168.180.21])
>with ESMTP; Wed, 17 Sep 2003 09:21:33 -0500
>Received:  from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>
>Wed, 17 Sep 2003 07:34:23 -0700
>Received:  from (external ip address) 63.x.x.50 by
>sea2fd.sea2.hotmail.msn.com with HTTP;	Wed, 17 Sep 2003 14:34:22 GMT
>X_Originating_IP:  [63.x.x.50]
>
>I have examined email headers from other systems and see that some
>information is inheirant.
>What is "Best Practice" for proper email header.  I would like external ip
>address to show up, but that will take a bit of re-configuring.  The people
>that did security assessment before I came brought this to attention, but
>offered no solution to resolve.  I appreciate any and all assistance.
>
>Thank You
>John Beck
>
>_________________________________________________________________
>Instant message with integrated webcam using MSN Messenger 6.0. Try it now
>FREE!  http://msnmessenger-download.com
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Instant message in style with MSN Messenger 6.0. Download it now FREE!  
http://msnmessenger-download.com




More information about the list mailing list