[Dshield] Can an SMTP Client be Spoofed?

Maxime Ducharme mducharme at cybergeneration.com
Mon Apr 24 19:26:36 GMT 2006

Yes, it can be hard to spoof a TCP connection
with new oses, see some info on sf :

email headers can simply be added to the mail before
sending it out, it can be hard to determine
if the header was correctly generated or spoofed

usually i lonly trust the last one, i.e. the one that my
SMTP server added when it received the email from the foreign

some info on "Received: " header :

have a nice day


-----Message d'origine-----
De : list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
De la part de David Cary Hart
Envoyé : 24 avril, 2006 11:30
À : DShield General Discussion List
Objet : [Dshield] Can an SMTP Client be Spoofed?

While I realize that headers are subject to manipulation, I have
always assumed that the IP address of the connecting machine (as
represented in the mail log) has an extraordinary probability of
being correct. Is my assumption valid?

Getting back to the headers, has anyone seen a situation where the
client depicted in the email headers does not match the client
depicted in the logs?

Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php


SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors in
the world.


Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
Wednesday after patch-tuesday.
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list