[Top] [All Lists]

2a. Analysis - Source - Open Relays and Proxies (was Re: FW: [Asrg] 0. General)

2003-10-24 13:33:26
Mark E. Mallett wrote:

On Fri, Oct 24, 2003 at 10:55:39AM +0200, Markus Stumpf wrote:

On Fri, Oct 24, 2003 at 01:20:33AM -0400, David Maxwell wrote:

No, you haven't thought that statement through.

Sure I have.

Every decent SMTP MTA adds a 'Received-by:' header, which includes the
IP of the host that made the SMTP connection. Even open relay MTAs add
this, so you'll still have the IP of the sender of the email.

No, you have the IP of the host that injected it to the first MTA that
recorded Received: headers.
This may be the host that injected the message. This may be or
this may be the IP of an open proxy that made the connection to the
SMTP port.

You may have such a Received line, but you can only believe the one
that is inserted by a mail server you operate or trust.  There's no
guarantee that any of the Received lines that appear in the header
received by such a trusted server (i.e., the Received lines after that
one) are legitimate.

You can tell what IP address gave it to your trusted server (and if you
know you can trust that one, you can follow one more level, and so forth).
But you can't tell anything beyond that.

Add to that mix various trojans and viruses, and that makes this statement even more true.

Asrg mailing list

<Prev in Thread] Current Thread [Next in Thread>