[Coco] yahoo groups

Gene Heskett gene.heskett at verizon.net
Fri Apr 20 20:21:38 EDT 2007


On Friday 20 April 2007, John E. Malmberg wrote:
>Roger Merchberger wrote:
>> Rumor has it that Gene Heskett may have mentioned these words:
>>> ... if the X-Originating-IP: header can be believed.
>>
>> Yes, but can it? Anything X* in the headers is optional, and it depends
>> on if *your* server is inserting that header, or if it's coming from the
>> other end of the SMTP conversation - if it's from the other end, it can
>> (and probably is) spoofed to try to look legit.
>>
>> What do your Received: headers say? Also, what are you running for an MTA?
>
fetchmail sucks from 3 accounts, and hands it off to procmail who applies a 
few rules and feeds most of it through spamd, then looks at what spamd 
thought of it and disposes of it accordingly.  The X-Originating-IP: is, if 
its there at all, the lowest in the header which I'd assume would be valid 
because all the intervening relays all add their fingerprints above the 
previous on in the chain.  Or at least that's the theory.

>X- headers that you did not add your self can not be trusted.  Spammers
>have been spoofing the commonly used ones for over a decade.
>
>Also the valid X headers that indicate originating I.P. is usually that
>of the user that connected to the mail server, not the mail server it
>self.  You can check if that I.P. is in a anti-spam database as part of
>the decision on how to process the e-mail.

That IP will, 95% of the time, resolve back to a yahoo.com server.

>What spammers can not spoof is the rDNS for the I.P. address that your
>mail server accepted the e-mail from.
>
> From what I have been told, it has been an RFC requirement that every
>server connected to the Internet have a valid rDNS.  In that if you do a
>lookup of the I.P. address, you get a name, and if you look up that
>name, you can find the original I.P. address.
>
>Unfortunately there are apparently a few major legitimate e-mail sources
>that are publishing broken rDNS values so you can not just reject all
>rDNS failures.  From the estimates I have seen, rejecting on bad rDNS
>will get you a noticeable false positive rate of between 1 and 10
>percent.  Sad, because fixing an rDNS problem is trivial for a network
>owner, and it is a trivial check which just about every commercial mail
>server product can enable.

Trivial, until some PHB assigns an intern to take care of it, and by the time 
he's done, half the net is spoofed.

>However, many major mail servers like AOL are now refusing e-mail from
>sources with no rDNS at all, and have been for quite some time.
>
>Do not expect the rDNS domain name to have any relationship to the
>domain name that the e-mail claims to come from.  While it is usually
>the same, in quite a few legitimate cases it is not.

The linux kernel mailing list being a case in point.

>Your mail server should be writing a line in the headers that shows the
>  host name that the sending mail server claimed to be (can be forged),
>and in parentheses, the rDNS name and the I.P. address of the sender
>which can not be forged.
>
Interesting.

>Every other line in the message header is suspect and can be forged.
>
>-John
>wb8tyw(at)qsl.net
>
Thanks John.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If fifty million people say a foolish thing, it's still a foolish thing.
		-- Bertrand Russell



More information about the Coco mailing list