procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Forged headers detection

2003-01-08 11:51:58
from [Professional Software Engineering] [Permanent Link] 
At 11:14 2003-01-08 -0500, Jefferis Peterson did say:

I presume the following has a forged header, but I'm trying to determine the
logic of it so that I can visually detect them.

> Received: (qmail 16498 invoked from network); 7 Jan 2003 10:50:02 -0000
> Received: from unknown (HELO 218.252.28.15) (64.59.34.99)
> by foma.pair.com with SMTP; 7 Jan 2003 10:50:02 -0000
> Received: from unknown (170.127.231.172) by smtp013.mail.yahoo.com with local; 
> Jan, 07 2003 2:51:34 AM +0400
> Received: from unknown (77.222.200.106) by rly-xw01.mx.aol.com with SMTP; Jan, 
> 07 2003 1:52:32 AM +0300
> Received: from [203.186.145.225] by hotmail.com (3.2) with ESMTP id
> MHotMailBE7297E1009B400437E7CBBA91E10D0B0; Jan, 07 2003 12:55:41 AM +0700
Ask yourself: since when does an RFC-style timestamp indicate AM or PM? Also, the bogus timestamps aren't in sync with one another - I could accept a few minutes apart, but this claims it was sent to hotmail at 12:55 pacific, and arrived at aol at 1:52 eastern. Or that's what they'd like you to think - AOL servers have always shown eastern timestamps (headquartered in VA), but that's -0300, not +0300, so the polarity of the timestamps are whacked as well.
Assuming they were valid timestamps, the mail originated at 5:55pm GMT on 06 JAN, then passed to "aol" at 10:52pm, then along to "yahoo" almost immediatley, but then arrived at pair.com *12* hours later?
The timeshifts would be difficult to whip up a simple procmail recipe for (though in the long haul, it'd be an interesting recipe to see), but the AM designation should be a dead giveaway. 

The following should probably catch it:
Received: .*[jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec],\>+[0-9]+ [0-9][0-9][0-9][0-9]\>+[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\>+(AM|PM)\>+(-\+)[01][0-9][03]0
The 218.252.28.15 is the origin of this spew, the rest of it was included to be misleading. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Procmail Books, procmail
Next by Date:  Re: Forged headers detection, Gary
Previous by Thread:  Forged headers detection, Jefferis Peterson
Next by Thread:  Re: Forged headers detection, Gerald Livingston
Indexes:  [Date] [Thread] [Top] [All Lists]