[Dshield] Message headers
cef at optus.net
Fri Dec 2 17:26:34 GMT 2005
On Friday 02 December 2005 09:34, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 01 Dec 2005 16:46:54 EST, steven parks said:
> > the last line is added by your own server and can't be forged (unless
> > your server has been compromised of course), all the rest can be forged.
> Actually, it's the *topmost* Received: line, and subsequent lines that form
> an *unbroken* chain of "Received: from XYZ by <machine of yours>", where
> XYZ is *also* a machine of yours. In my particular case, there are usually
> 4 to 5 of these added by machines I trust (as they're admin'ed by either
> myself or the guy in the next cubicle). The next Received: line is
> possibly open to forgery, as it's not one written by your systems - it was
> created by some other system.
To be meticulous, you should confirm that by checking the logs on the machine
in question to make sure they match up.
The reason I state this is that I have seen a compromised secondary MX, in
this case they set up a simple tcp tunnel redirector, where mail was forged
with the appropriate received headers. The redirection fed it to the next
host down the chain, and because the connection originated from the secondary
MX, the mail was accepted and logged in that mail hosts Received headers as
such. The forged headers were pretty much what the secondary MX would
normally add, but identified the mail as coming in from different systems to
where the actual mail was coming in from. The admin in question was trying to
track down these invalid hosts, and not getting anywhere, as he was acting on
It's good to double check sometimes.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list