[CLUE-Tech] SMTP Envelope Question
Kirk Rafferty
kirk at fpcc.net
Sun Nov 10 15:06:43 MST 2002
First, (and you probably know this already) Received: headers can
be easily inserted into a spam. That's why you have to work your way
backwards from the Received: header that shows delivery to your machine.
Once you hit a Received: header that doesn't follow the trail, it's
a fake.
So, assuming that the Received: header you've provided is a real header,
the next rule is never trust the domain in a Received: header. It can be
easily faked, because it's the domain that the mailserver is reporting
itself as. What's much harder (impossible?) to fake is the IP address.
Again, assuming that the header you provided is real, it looks like the
spam originated (or at least relayed through) 156.148.56.6. Don't be
thrown by the CERN ownership. They're just as susceptable to bad
administrators as anyone else. Or it could be a leased address.
The "(8.9.3/8.9.3)" part is the Sendmail version that the receiving machine
is reporting.
Regards,
Kirk
On Sun, Nov 10, 2002 at 02:34:01PM -0700, Jed S. Baer wrote:
> Hi Folks.
>
> I thought I understood enough about SMTP headers to track spam back to the
> originiting machine, and thus identify the owner of the IP address. This
> one has me scratching my head a bit.
>
> Received: from redshift.com ([156.148.56.6])
> by betades.freeserve.co.uk (8.9.3/8.9.3) with SMTP id 30243
>
> The IP address 156.148.56.6 is owned by CERN. redshift.com has address
> 216.228.2.86. I have no idea what the (8.9.3/8.9.3) notation means.
>
> Are spammers now using some hacked-up SMTP programs that forge data in the
> initial envelope, or going through servers which intentionally mis-resolve
> hosts/addresses?
More information about the clue-tech
mailing list