[Dshield] [DShield] Need Help - Or Advise

M Cook dshieldlists at versateam.com
Fri Aug 19 00:57:57 GMT 2005


The very first received line that you can trust is most likely the the 
sender's address.

Spam is by its nature untrustworthy. They are lying about everything 
else, they might as well lie about the headers -- or at least you can't 
trust them even if they are being truthful. Very often they will add 
other headers, just to confuse things, or because they are copying an 
existing e-mail. So don't trust anything that you didn't put in the 
email yourself, or that one of your machines put there.

On the other hand, e-mail that arrived at your e-mail server (which we 
assume you can trust) likely came from either the spammer himself, or 
from a relay that the spammer is using. In other words, THE MACHINE THAT 
GAVE IT TO YOUR MAIL SERVER is responsible for the spam, unless it comes 
via some other relay that you can trust.

Keep in mind that that machine is fairly likely to be a zombie or part 
of a botnet, so whoever the human is at that machine may not have any 
idea that her machine is sending that message or relaying it. But it is 
still the machine responsible for sending the spam to you.

Mike Wydra wrote:

>My Friends:
>
>First - THANK-YOU to whoever it was that posted the warning about the "Osama Bin Laden Captured" hoax. Someone sent me the damn thing today and no - I didn't open the attachment. I also received another one called "The Post Office," which also has an attachment, and looks fishy. 
>
>I don't have a spare machine set up that I could run these things on (and see what they are) but if someone else wants the honors, I can forward. What I need help/advise on is this: I think I know how to determine the originating IP from the headers. In these two cases, it appears that both e-mails came out of Europe (Both went through the Netherlands). Am I correct that the VERY first "received" line is the senders IP addy? Thanks for any answers. I know you guys are busy with the current patch crisis.
>
>Mike Wydra
>AT&T   USA
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>  
>


More information about the list mailing list