[Dshield] little experiment

Brance Amussen :)_S brance at jhu.edu
Wed Mar 2 21:39:38 GMT 2005

It doesn't work on Windows either, as my previous post points out.. 
>From what I have read so far, the only reason I can see for a client and
server to give/get the IP address is for identification, and why isn't
domain name good enough? according to RFC 2821;

In the EHLO command the host sending the command identifies itself;
   the command may be interpreted as saying "Hello, I am <domain>" (and,
   in the case of EHLO, "and I support service extension requests").

However, it is the server which actually comes back with the local IP. Also
the MTA which constructs the header attached to the actual mail is the one
responsible for adding the local IP to the mail headers.. 
In addition I can find no good reason for the IP address to be a part of the
header, excepting of course for logging purposes, and perhaps forensics.. In
fact RFC822-Standard for the format of ARPA Internet text messages. Doesn't
even have the words "IP Address" in it at all... (couldn't find an
obsoleting RFC.. Didn't have much time to look however..)

Please feel free to correct me if I am wrong.. 

So why have it in there??? Some developer out there must know.. Could it be
Carnivore, or Echelon again?? ;) (not to start any more conspiracy

Brance :)_S


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Henry Hertz Hobbit
Sent: Wednesday, March 02, 2005 1:29 PM
To: General DShield Discussion List
Cc: hhhobbit at comcast.net
Subject: Re: [Dshield] little experiment

> I don't know how Thunderbird works but here is what I did for my email
> Polarbar gets the IP of the machine it is running on and does a DNS 
> lookup, if it does not resolve it uses the IP for the HELO.  If it 
> does resolve it uses the resolved domain name for the HELO.  I added 
> my machines IP to the HOSTS file and put the domain name I wanted to 
> use externally there.  Since this is a laptop using DHCP at home I 
> always get the same IP and when I travel, who knows what IP comes up, 
> I really don't care if the IP is used but if I did I could change the
HOSTS file.

I am the one that first said that your IP shows up in the email header in
the thread.

Your method does NOT work on Linux, OpenBSD or most other versions of Unix
(not tested on all of them).  Further, it doesn't matter whether or not you
are using Thunderbird, Evolution, or some other MUA.  In answer to the next
question I see forthcoming, YES, my nsswitch.conf file has ALWAYS had files
first (on Unix it goes to each in order as specified). 
I currently use:

hosts:      files dns

I am not using nis, nisplus, or db on this machine.  So if you were counting
on this tip to work, it is some sort of anomaly that only works with
Windows.  I am trying to think if there is some reason it needs to be there
from the transport layer network perspective, and don't have an answer right
now.  By that I mean, if you have multiple machines on an internal NAT'd
subnet all talking to the same external SMTP server, is it needed to avoid
collisions?  I would say no, since each connection IS a dedicated TCP
connection.  For some reason there is this nagging thought in the back of my
mind that the sending IP is required by some RFC for email.

Key Name:  "Henry Hertz Hobbit"
Key fingerprint = 924E BE61 1ACF B87A DCA9 009E E74C 183D 0164 F7D5

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th

send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list