[Dshield] Message headers

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Dec 1 22:34:59 GMT 2005

On Thu, 01 Dec 2005 16:46:54 EST, steven parks said:
> the last line is added by your own server and can't be forged (unless your
> server has been compromised of course), all the rest can be forged.

Actually, it's the *topmost* Received: line, and subsequent lines that form an
*unbroken* chain of "Received: from XYZ by <machine of yours>", where XYZ is
*also* a machine of yours.  In my particular case, there are usually 4 to 5 of
these added by machines I trust (as they're admin'ed by either myself or the
guy in the next cubicle).  The next Received: line is possibly open to forgery,
as it's not one written by your systems - it was created by some other system. 

So analyzing the headers of the message I'm replying to:

Received: from localhost (localhost []) 	by turing-police.cc.vt.edu 
	(my laptop, I trust this line)
Received: from fan.cc.vt.edu [] 	by localhost
	(my laptop got it from 'fan' - I trust that machine)
Received: from dagger.cc.vt.edu (evil-dagger.cc.vt.edu []) by lyta.cc.vt.edu
	(fan is also lyta, and a machine I trust)
Received: from iceman12-int.giac.net (mail2.dshield.org []) by dagger.cc.vt.edu
	And here we stop. Dagger is a machine I trust, but it got it from a
	giac.net machine, which isn't one that I have administrative control over.
Received: <possibly forged if mail2.dshield.org is rogue/compromised>

*Any* subsequent lines, including From/To/cc and the entire body, are open for
forgery, *including* lower-down Received: lines.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051201/839b101e/attachment.bin

More information about the list mailing list