[Dshield] Message headers
Valdis.Kletnieks at vt.edu
Thu Dec 1 22:34:59 GMT 2005
On Thu, 01 Dec 2005 16:46:54 EST, steven parks said:
> the last line is added by your own server and can't be forged (unless your
> server has been compromised of course), all the rest can be forged.
Actually, it's the *topmost* Received: line, and subsequent lines that form an
*unbroken* chain of "Received: from XYZ by <machine of yours>", where XYZ is
*also* a machine of yours. In my particular case, there are usually 4 to 5 of
these added by machines I trust (as they're admin'ed by either myself or the
guy in the next cubicle). The next Received: line is possibly open to forgery,
as it's not one written by your systems - it was created by some other system.
So analyzing the headers of the message I'm replying to:
Received: from localhost (localhost [127.0.0.1]) by turing-police.cc.vt.edu
(my laptop, I trust this line)
Received: from fan.cc.vt.edu [184.108.40.206] by localhost
(my laptop got it from 'fan' - I trust that machine)
Received: from dagger.cc.vt.edu (evil-dagger.cc.vt.edu [10.1.1.11]) by lyta.cc.vt.edu
(fan is also lyta, and a machine I trust)
Received: from iceman12-int.giac.net (mail2.dshield.org [220.127.116.11]) by dagger.cc.vt.edu
And here we stop. Dagger is a machine I trust, but it got it from a
giac.net machine, which isn't one that I have administrative control over.
Received: <possibly forged if mail2.dshield.org is rogue/compromised>
*Any* subsequent lines, including From/To/cc and the entire body, are open for
forgery, *including* lower-down Received: lines.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051201/839b101e/attachment.bin
More information about the list