[Dshield] Can an SMTP Client be Spoofed?

Tom dshield at oitc.com
Mon Apr 24 19:25:21 GMT 2006

At 1:29 PM -0400 4/24/06, David Cary Hart wrote:
>On Mon, 24 Apr 2006 12:15:40 -0400
>Tom <dshield at oitc.com> opined:
>>  At 11:29 AM -0400 4/24/06, David Cary Hart wrote:
>>  >While I realize that headers are subject to manipulation, I have
>>  >always assumed that the IP address of the connecting machine (as
>>  >represented in the mail log) has an extraordinary probability of
>>  >being correct. Is my assumption valid?
>>  Yes SMTP requires TCP which is a bidirectional protocol which
>>  required a valid IP
>>  >Getting back to the headers, has anyone seen a situation where the
>>  >client depicted in the email headers does not match the client
>>  >depicted in the logs?
>>  client? do you mean host?
>No. In Postfix-speak, the "client" is either the IP address or host
>of the machine connecting to the mail server. Example:
>Log: connect from mail2.dshield.org[]
>Config: smtpd_recipient_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     check_sender_access hash:/etc/postfix/access,
>. . .
>     check_client_access regexp:/etc/postfix/client_checks,
>I could reject the example with a Regular Expression in client_checks
>for either the IP address or the host. In other words, the host is a
>client -;)

OK here is an example below is postfix header

Received: from oitc.com (musky.oitc.com [])....

My mailserver announces EHLO oitc.com and postfix did a reverse 
loopup of and found musky.oitc.com. I would expect that 
the logs would show musky.oitc.com []

Given that mailservers can be multi-homed and (under BIND 9) so can 
PTR records I would expect that there would be lots of times that the 
header and log FQDNs would be dirrerent.


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
skype: trshaw

More information about the list mailing list