Discussion:
about spoofed email header(Received From field)
Monty Ree
2005-04-20 06:20:40 UTC
Permalink
Hello, all.

I have received so lots of spam mails.
So I have used to see e-mail header(Received From: field) to see from which
IP had sent the e-mail.

For example, I have received this spam mail today.

###### mail header #######
Return-Path: <***@hfejkkd.net>
Received: from mail.xxx.com ([211.xx.xx.xx])
by tt.co.kr (8.11.6/8.11.6) with ESMTP id j3J1QsK15121
for <***@xxx.com>; Tue, 19 Apr 2005 10:26:54 +0900
Received: from 211.198.142.138 ([211.198.142.138])
by mail.xxx.com (8.11.6/8.11.6) with SMTP id j3J1R7p12967
for <***@xxx.com>; Tue, 19 Apr 2005 10:27:07 +0900
Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700
Message-ID: <***@yahoo.com>


and first Received field like below...

Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700

Yes, 244.31.48.232 is not assigned, so I think that this mail header is
spoofed!!
If then, spammer can use assigned IP too, to spoof the e-mail header
instead of not assigned ip.

So It is no meaning to track spammer by using "Received From: " mail
header field, because he can make lots of spoofed "Received From" field
using real IP.
So, tracking spammer is impossible or hard, right?

Is there any good method or howto to distinguish spoofed e-mail header from
real e-mail header?


Thanks in advance.

_________________________________________________________________
���� ��� ���� ������ ���ϰ� ���� �� �ֽ�ϴ�. MSN ����/����
http://www.msn.co.kr/stock/
John Andersen
2005-04-20 08:10:41 UTC
Permalink
Post by Monty Ree
Hello, all.
I have received so lots of spam mails.
So I have used to see e-mail header(Received From: field) to see from which
IP had sent the e-mail.
For example, I have received this spam mail today.
###### mail header #######
Received: from mail.xxx.com ([211.xx.xx.xx])
by tt.co.kr (8.11.6/8.11.6) with ESMTP id j3J1QsK15121
Received: from 211.198.142.138 ([211.198.142.138])
by mail.xxx.com (8.11.6/8.11.6) with SMTP id j3J1R7p12967
Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700
and first Received field like below...
Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700
Yes, 244.31.48.232 is not assigned, so I think that this mail header is
spoofed!!
If then, spammer can use assigned IP too, to spoof the e-mail header
instead of not assigned ip.
So It is no meaning to track spammer by using "Received From: " mail
header field, because he can make lots of spoofed "Received From" field
using real IP.
So, tracking spammer is impossible or hard, right?
Is there any good method or howto to distinguish spoofed e-mail header from
real e-mail header?
The first (bottom most) Received from header should never be believed.
The top most received from usually IS reliable, (assuming you are running your
own Mail Transfer agent (sendmail or postfix of some such).

The ones in between have to be evaluated manually. In your case
the bottom most one (first one) looks bogus to me even if it had
a proper IP.
--
_____________________________________
John Andersen
M***@hbinc.com
2005-04-20 18:51:32 UTC
Permalink
Post by John Andersen
Post by Monty Ree
Hello, all.
I have received so lots of spam mails.
So I have used to see e-mail header(Received From: field) to see
from which IP had sent the e-mail.
For example, I have received this spam mail today.
###### mail header #######
Received: from mail.xxx.com ([211.xx.xx.xx])
by tt.co.kr (8.11.6/8.11.6) with ESMTP id j3J1QsK15121
This one is probably the one added by YOUR mail server.
As such you can believe the IP address (211.xx.xx.xx) - THAT is most likely the spammer's IP.
Post by John Andersen
Post by Monty Ree
Received: from 211.198.142.138 ([211.198.142.138])
by mail.xxx.com (8.11.6/8.11.6) with SMTP id j3J1R7p12967
This one was already on the email when your mail server got it. Don't believe it for a second.
Post by John Andersen
Post by Monty Ree
Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700
This is just way off base.
Post by John Andersen
Post by Monty Ree
and first Received field like below...
Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700
Yes, 244.31.48.232 is not assigned, so I think that this mail header
is spoofed!! If then, spammer can use assigned IP too, to spoof the
e-mail header instead of not assigned ip.
So It is no meaning to track spammer by using "Received From: " mail
header field, because he can make lots of spoofed "Received From"
field using real IP. So, tracking spammer is impossible or hard,
right?
Is there any good method or howto to distinguish spoofed e-mail
header from real e-mail header?
The first (bottom most) Received from header should never be believed.
The top most received from usually IS reliable, (assuming you are
running your own Mail Transfer agent (sendmail or postfix of some
such).
If you're running your own MTA, this will have the IP of the machine that sent it the mail.
Post by John Andersen
The ones in between have to be evaluated manually.
I usually don't bother. The IP of the machine that talked to my machine is all that I usually need.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
John Andersen
2005-04-21 07:30:07 UTC
Permalink
Post by M***@hbinc.com
Post by John Andersen
The top most received from usually IS reliable, (assuming you are
running your own Mail Transfer agent (sendmail or postfix of some
such).
If you're running your own MTA, this will have the IP of the machine that sent it the mail.
I said usually. I meant usually.
Because smpt is as simple protocol all done over a single socket
it is possible for someone on the same subnet to spoof their IP
when they make the connection.
--
_____________________________________
John Andersen
Loading...