[Dshield] Message headers

Cefiar cef at optus.net
Fri Dec 2 17:26:34 GMT 2005

On Friday 02 December 2005 09:34, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 01 Dec 2005 16:46:54 EST, steven parks said:
> > the last line is added by your own server and can't be forged (unless
> > your server has been compromised of course), all the rest can be forged.
> Actually, it's the *topmost* Received: line, and subsequent lines that form
> an *unbroken* chain of "Received: from XYZ by <machine of yours>", where
> XYZ is *also* a machine of yours.  In my particular case, there are usually
> 4 to 5 of these added by machines I trust (as they're admin'ed by either
> myself or the guy in the next cubicle).  The next Received: line is
> possibly open to forgery, as it's not one written by your systems - it was
> created by some other system.

To be meticulous, you should confirm that by checking the logs on the machine 
in question to make sure they match up.

The reason I state this is that I have seen a compromised secondary MX, in 
this case they set up a simple tcp tunnel redirector, where mail was forged 
with the appropriate received headers. The redirection fed it to the next 
host down the chain, and because the connection originated from the secondary 
MX, the mail was accepted and logged in that mail hosts Received headers as 
such. The forged headers were pretty much what the secondary MX would 
normally add, but identified the mail as coming in from different systems to 
where the actual mail was coming in from. The admin in question was trying to 
track down these invalid hosts, and not getting anywhere, as he was acting on 
incorrect data.

It's good to double check sometimes.

 Stuart Young - aka Cefiar - cef at optus.net

More information about the list mailing list