[Dshield] [DShield] Need Help - Or Advise

Laurent Saplairoles lsaplai at megassistance.com
Fri Aug 19 00:57:27 GMT 2005



On 18 Aug 2005 at 19:41, Mike Wydra wrote:

> My Friends:
> 
> First - THANK-YOU to whoever it was that posted the warning about the
> "Osama Bin Laden Captured" hoax. Someone sent me the damn thing today
> and no - I didn't open the attachment. I also received another one
> called "The Post Office," which also has an at tachment, and looks
> fishy. 
> 
> I don't have a spare machine set up that I could run these things on
> (and see what they are) but if someone else wants the honors, I can
> forward. What I need help/advise on is this: I think I know how to
> determine the originating IP from the headers. In
>  these two cases, it appears that both e-mails came out of Europe
>  (Both went through the Netherlands). Am I correct that the VERY first
>  "received" line is the senders IP addy? Thanks for any answers. I
>  know you guys are busy with the current patch crisi
> s.
> 

No, it is not the IP of the sender. It is the IP of the last server thru which the message 
has been relayed. Quite likely, it is the IP of the sender's ISP but you can't be 100% 
sure.

That "received" line has been added by the server that has received the message on 
you behalf. If you have your own SMTP server, then it has been added by a machine 
that you control and trust. If you use your ISP's services, you might decide to trust the 
accuracy of that header.

However, A sending MTA could spoof its address. Often, a server will announce itself 
with an IP but actually another IP is used in the connection. You should be able to see 
that in your logs if you have access to them.

Nevertheless, trust what you see: you can always try to contact the abuse e-mail at that 
IP to complain about the spam.

Cheers!
-- 
Laurent



More information about the list mailing list