[Dshield] Can an SMTP Client be Spoofed?

Witt, David A. DAVID.A.WITT at saic.com
Thu Apr 27 13:31:22 GMT 2006


As a general rule, only trust the portions of mail headers that your own
systems generate. All other parts of the header can be falsified, including
those that your ISP generates. Should you determine that your systems have
been compromised, not even those portions of the headers that the
compromised system generates can be trusted.

Allen Witt - MCSE+Messaging, CISSP
Network Security Administrator


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Cary Hart
Sent: Monday, April 24, 2006 11:30 AM
To: DShield General Discussion List
Subject: [Dshield] Can an SMTP Client be Spoofed?


While I realize that headers are subject to manipulation, I have always
assumed that the IP address of the connecting machine (as represented in the
mail log) has an extraordinary probability of being correct. Is my
assumption valid?

Getting back to the headers, has anyone seen a situation where the client
depicted in the email headers does not match the client depicted in the
logs?

-- 
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php

_________________________________________

SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors in
the world.

http://www.sans.org/sansfire006

Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
Wednesday after patch-tuesday.
_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


More information about the list mailing list