[Dshield] Message headers

Jeff Kell jeff-kell at utc.edu
Fri Dec 2 05:42:34 GMT 2005


steven parks wrote:
> the last line is added by your own server and can't be forged (unless your
> server has been compromised of course), all the rest can be forged.

It's actually the *first* line added by your own server, but I think that's what you meant, just making sure that doesn't confuse anyone.  Hopefully your server provides all of the identifying pieces of the header, such as:

> Received: from iceman12-int.giac.net (mail2.dshield.org [65.173.218.116])
> 	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> 	(No client certificate requested)
> 	by cuda.utc.edu (Spam Firewall) with ESMTP id EF569D00308B
> 	for <jeff-kell at utc.edu>; Thu,  1 Dec 2005 16:39:27 -0500 (EST)

In pieces, this shows:

> Received: from iceman12-int.giac.net    ### sending envelope RFC821 HELO/EHLO hostname
>       (mail2.dshield.org    ### reverse DNS of sending IP 
>       [65.173.218.116])     ### IP of the sending MTA
> 	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> 	(No client certificate requested)   ### authentication/encryption information
>       by cuda.utc.edu   ### local name on your end 
>       with ESMTP id EF569D00308B   ### local message ID
>       for <jeff-kell at utc.edu>;   ###  sending envelope RFC821 RCPT TO:<>
>       Thu,  1 Dec 2005 16:39:27 -0500 (EST)   ### local server timestamp

Received headers *after* this line are whatever the sender provides.  If the next sender matches up to where your server says it came from, or you otherwise trust the next sender, that header may be accurate; otherwise it could very well be forged.  This continues down the line.  Think of it as chasing down the "chain of custody" of the message :-)

Jeff


More information about the list mailing list