[Dshield] Can an SMTP Client be Spoofed?

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Tue Apr 25 04:12:14 GMT 2006

On Mon, 24 Apr 2006 15:26:36 EDT, Maxime Ducharme said:
> Yes, it can be hard to spoof a TCP connection
> with new oses, see some info on sf :
> http://www.securityfocus.com/infocus/1674

Note that spoofing an IP address for a TCP connection *should* be
quite difficult if the server properly implements RFC1948:

1948 Defending Against Sequence Number Attacks. S. Bellovin. May 1996.
     (Format: TXT=13074 bytes) (Status: INFORMATIONAL)

However, many vendors don't seem to get this as right as you'd expect,
as Michael Zalewski discovered:


And a year later, things hadn't universally improved:


(Note that these papers date to 2001 and 2002 - anybody who wants to update
the results for 2006 are welcome to do so.  I suspect that things haven't
actually improved all that much since...)

> email headers can simply be added to the mail before
> sending it out, it can be hard to determine
> if the header was correctly generated or spoofed
> usually i lonly trust the last one, i.e. the one that my
> SMTP server added when it received the email from the foreign
> host

I usually trust the last 3-5 Received:s, because it can get that many
just flowing through our internal mailservers.  If I got the mail from a
"trusted" source, I'll likely trust a few more (for instance, for mail
from this list, I'll trust the giac.net-added headers *once* I verify that
my mailserver actually got it from there).  Usually I define "trusted" as
"Do I know where to find the sysadmin so I can open a can of whoop-ass on
him if I find out his box added a duff header?" :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060425/78d1da7f/attachment.bin

More information about the list mailing list