[Dshield] Can an SMTP Client be Spoofed?

Maxime Ducharme mducharme at cybergeneration.com
Mon Apr 24 19:26:36 GMT 2006



Yes, it can be hard to spoof a TCP connection
with new oses, see some info on sf :
http://www.securityfocus.com/infocus/1674

email headers can simply be added to the mail before
sending it out, it can be hard to determine
if the header was correctly generated or spoofed

usually i lonly trust the last one, i.e. the one that my
SMTP server added when it received the email from the foreign
host

some info on "Received: " header :
http://www.stopspam.org/email/headers.html

have a nice day

Maxime


-----Message d'origine-----
De : list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
De la part de David Cary Hart
Envoyé : 24 avril, 2006 11:30
À : DShield General Discussion List
Objet : [Dshield] Can an SMTP Client be Spoofed?

While I realize that headers are subject to manipulation, I have
always assumed that the IP address of the connecting machine (as
represented in the mail log) has an extraordinary probability of
being correct. Is my assumption valid?

Getting back to the headers, has anyone seen a situation where the
client depicted in the email headers does not match the client
depicted in the logs?

-- 
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php

_________________________________________

SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors in
the world.

http://www.sans.org/sansfire006

Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
Wednesday after patch-tuesday.
_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list