[Dshield] [DShield] Need Help - Or Advise

Tom dshield at oitc.com
Fri Aug 19 02:28:10 GMT 2005

However, the mail protocol is trustworthy (in reporting the last IP) 
and the IP that the transaction came from is the IP listed on the 
fist line of your email.  All other information is suspect.


At 8:57 PM -0400 8/18/05, M Cook wrote:
>The very first received line that you can trust is most likely the the
>sender's address.
>Spam is by its nature untrustworthy. They are lying about everything
>else, they might as well lie about the headers -- or at least you can't
>trust them even if they are being truthful. Very often they will add
>other headers, just to confuse things, or because they are copying an
>existing e-mail. So don't trust anything that you didn't put in the
>email yourself, or that one of your machines put there.
>On the other hand, e-mail that arrived at your e-mail server (which we
>assume you can trust) likely came from either the spammer himself, or
>from a relay that the spammer is using. In other words, THE MACHINE THAT
>GAVE IT TO YOUR MAIL SERVER is responsible for the spam, unless it comes
>via some other relay that you can trust.
>Keep in mind that that machine is fairly likely to be a zombie or part
>of a botnet, so whoever the human is at that machine may not have any
>idea that her machine is sending that message or relaying it. But it is
>still the machine responsible for sending the spam to you.
>Mike Wydra wrote:
>>My Friends:
>>First - THANK-YOU to whoever it was that posted the warning about 
>>the "Osama Bin Laden Captured" hoax. Someone sent me the damn thing 
>>today and no - I didn't open the attachment. I also received 
>>another one called "The Post Office," which also has an attachment, 
>>and looks fishy.
>>I don't have a spare machine set up that I could run these things 
>>on (and see what they are) but if someone else wants the honors, I 
>>can forward. What I need help/advise on is this: I think I know how 
>>to determine the originating IP from the headers. In these two 
>>cases, it appears that both e-mails came out of Europe (Both went 
>>through the Netherlands). Am I correct that the VERY first 
>>"received" line is the senders IP addy? Thanks for any answers. I 
>>know you guys are busy with the current patch crisis.
>>Mike Wydra
>>AT&T   USA
>>send all posts to list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: 
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD

More information about the list mailing list