[Dshield] Can an SMTP Client be Spoofed?

David Cary Hart DShield at TQMcube.com
Mon Apr 24 17:29:22 GMT 2006


On Mon, 24 Apr 2006 12:15:40 -0400
Tom <dshield at oitc.com> opined:
> At 11:29 AM -0400 4/24/06, David Cary Hart wrote:
> >While I realize that headers are subject to manipulation, I have
> >always assumed that the IP address of the connecting machine (as
> >represented in the mail log) has an extraordinary probability of
> >being correct. Is my assumption valid?
> 
> Yes SMTP requires TCP which is a bidirectional protocol which 
> required a valid IP
> 
> >Getting back to the headers, has anyone seen a situation where the
> >client depicted in the email headers does not match the client
> >depicted in the logs?
> 
> client? do you mean host?
> 
No. In Postfix-speak, the "client" is either the IP address or host
of the machine connecting to the mail server. Example:

Log: connect from mail2.dshield.org[65.173.218.116]
Config: smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_sender_access hash:/etc/postfix/access,
. . . 
    check_client_access regexp:/etc/postfix/client_checks,

I could reject the example with a Regular Expression in client_checks
for either the IP address or the host. In other words, the host is a
client -;)
-- 
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php



More information about the list mailing list