ietf-mxcomp
[Top] [All Lists]

Re: How would SPF or Sender Id caught this one?

2004-07-31 08:51:45

On Sat, Jul 31, 2004 at 11:33:46AM -0400, Larry Seltzer wrote:
| This page (http://www.messagelevel.com/spoofing.cfm#spoofex) appears to
| have details on this particular phishing example, although nothing so
| straightforward as an actual message with headers. 

A message with headers would be most informative, plus a
description of what OS and TCP software the receiving server
was running.

http://lcamtuf.coredump.cx/newtcp/

If TCP sequence number spoofing remains a viable attack, we
can construct an ESMTP ECHO field of the following form:

  20040731-11:49:09 mengwong(_at_)dumbo:~% telnet dumbo 25
  Trying 208.210.125.24...
  Connected to dumbo.
  Escape character is '^]'.
  220 dumbo.pobox.com ESMTP Postfix
  EHLO dumbo.pobox.com
  250-dumbo.pobox.com
  250-PIPELINING
  250-SIZE 10240000
  250-VRFY
  250-ETRN
  250-ECHO 3yw4thwwhw345h2w35w9-huwtruhnsjbfdpsiodbnwaorghj
  250 8BITMIME
  MAIL FROM:<foo> SUBMITTER=<bar> 
ECHO=3yw4thwwhw345h2w35w9-huwtruhnsjbfdpsiodbnwaorghj