on 7/31/04 8:33 AM, Larry Seltzer at larry(_at_)larryseltzer(_dot_)com wrote:
This page (http://www.messagelevel.com/spoofing.cfm#spoofex) appears to
have details on this particular phishing example, although nothing so
straightforward as an actual message with headers.
They have a stupid Flash movie here
(http://www.messagelevel.com/register/movies/ipspoofing.cfm) that
details some of the techniques.
Larry, I've looked at the log file excerpt in the Flash movie. While it is
presented as evidence that true IP spoofing occurred in the case of this
phishing example, the log file excerpt does not support that hypothesis.
The commentary in the flash movie claims that the excerpt shows an attempt
to deliver spam to the richmond.com mail server, however, I believe they
have misinterpreted the log. In my opinion the contents of the log show an
entirely valid SMTP transaction taking place in the opposite direction -
namely the richmond.com mail server connecting to a usbank.com mail server
in an attempt to deliver a bounce message, presumably because the spammer
forged the MAIL FROM to include reference a usbank.com address in a mail
handled by the richmond.com mail server.
-Richard