[Dshield] Can an SMTP Client be Spoofed?
dshield at oitc.com
Mon Apr 24 19:25:21 GMT 2006
At 1:29 PM -0400 4/24/06, David Cary Hart wrote:
>On Mon, 24 Apr 2006 12:15:40 -0400
>Tom <dshield at oitc.com> opined:
>> At 11:29 AM -0400 4/24/06, David Cary Hart wrote:
>> >While I realize that headers are subject to manipulation, I have
>> >always assumed that the IP address of the connecting machine (as
>> >represented in the mail log) has an extraordinary probability of
>> >being correct. Is my assumption valid?
>> Yes SMTP requires TCP which is a bidirectional protocol which
>> required a valid IP
>> >Getting back to the headers, has anyone seen a situation where the
>> >client depicted in the email headers does not match the client
>> >depicted in the logs?
>> client? do you mean host?
>No. In Postfix-speak, the "client" is either the IP address or host
>of the machine connecting to the mail server. Example:
>Log: connect from mail2.dshield.org[126.96.36.199]
>Config: smtpd_recipient_restrictions =
> check_sender_access hash:/etc/postfix/access,
>. . .
> check_client_access regexp:/etc/postfix/client_checks,
>I could reject the example with a Regular Expression in client_checks
>for either the IP address or the host. In other words, the host is a
OK here is an example below is postfix header
Received: from oitc.com (musky.oitc.com [188.8.131.52])....
My mailserver announces EHLO oitc.com and postfix did a reverse
loopup of 184.108.40.206 and found musky.oitc.com. I would expect that
the logs would show musky.oitc.com [220.127.116.11]
Given that mailservers can be multi-homed and (under BIND 9) so can
PTR records I would expect that there would be lots of times that the
header and log FQDNs would be dirrerent.
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax),
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
More information about the list