On Mon, Jan 19, 2004 at 05:57:53PM -0500, Keith Moore wrote:
I don't think it is an easy task to find information to add to the
hash.
offhand:
- subject field (perhaps truncated to XX bytes)
- message body
- source IP address and port
- precise date/time (not the Date header field)
- *maybe* some form of the envelope recipient list
But all of this can be used for replay attacks. Get an account at
big-email-provider-1 and send the spam mail to your address at
big-email-provider-2. Take the message and reinject it via a proxy
server by adding a fake Received: line and using a faked envelope sender
to make it look like a forward and a consitent chain of mailservers.
You can use the same message some thousand times with any of some
thousand open proxy servers and for any envelope recipient you like
(replay attack).
With Bcc mimic and multiple RCPT TOs in one stream it might be dangerous
or impossible to use some form of the envelope recipient list.
Maybe I am missing something, but I can't see how this helps making
the trace of the message more trustworthy than the Received lines only.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"