[Dshield] Can an SMTP Client be Spoofed?
David Cary Hart
DShield at TQMcube.com
Mon Apr 24 17:29:22 GMT 2006
On Mon, 24 Apr 2006 12:15:40 -0400
Tom <dshield at oitc.com> opined:
> At 11:29 AM -0400 4/24/06, David Cary Hart wrote:
> >While I realize that headers are subject to manipulation, I have
> >always assumed that the IP address of the connecting machine (as
> >represented in the mail log) has an extraordinary probability of
> >being correct. Is my assumption valid?
> Yes SMTP requires TCP which is a bidirectional protocol which
> required a valid IP
> >Getting back to the headers, has anyone seen a situation where the
> >client depicted in the email headers does not match the client
> >depicted in the logs?
> client? do you mean host?
No. In Postfix-speak, the "client" is either the IP address or host
of the machine connecting to the mail server. Example:
Log: connect from mail2.dshield.org[188.8.131.52]
Config: smtpd_recipient_restrictions =
. . .
I could reject the example with a Regular Expression in client_checks
for either the IP address or the host. In other words, the host is a
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php
More information about the list