On Friday 05 September 2003 05:38 pm, rikona wrote: > Hello Bryan (alias rikona supposedly at 66.32.127.184), :-) > > Friday, September 5, 2003, 2:14:53 PM, you wrote: > >> If you get one from 'you', I'd like to see all the headers to shed > >> some light on how it spoofs 'you'. > > r> Like this. > > Sorry - I guess I wasn't clear on this. I understand how to spoof just > the From: header. By "from", I meant the originating IP address in the > headers - the person it is REALLY from. :-) [still trying to check out > the cached-routing idea]
Based on the headers I have seen on two of the virus messages, both forwarded by someone on the list, I haven't seen it spoof any IP addresses, only the From line. > If it doesn't violate your terms of service, it might be interesting > to try spoofing an IP and see what you get back. My ISP takes an > exceedingly dim view of such things. Well, I could probably send you a message that would render me completely anonymous, relayed through 3 or four foreign proxy servers chained together with only the last one showing up on the smtp headers. There is software available in both windows and Linux that allows that and I do have it. That would mean that the only way to track me would be to follow the IP to the open relay (many available in China, etc.) follow that to the last proxy, get the logs, follow to the next and so on but that would still not really constitute spoofing IP's. I could try to spoof a totally different IP from my ISP's network by installing a second ethernet card and creating a second interface for that one and setting the IP locally and maybe even route through an open proxy on that one to deliver a spoofed IP, but I am thinking that the net range would still be detectable since the traffic has to go both ways and I have no way to hijack the DNS, although I have seen this done. For me to do it, I would have to try to locate a real domain with an unsecure DNS and that would be violating several US as well as international laws, so I wouldn't really do that unless I had the sysadmin's permission. And, I could send a message with fake header lines inserted to try to mask my actual origin, but I don't see what that would really prove since I have seen all of those things done before and there are still ways to trace the origin provided you want to follow it enough and get local administrators to help. I still don't think that a virus is intelligent enough to do any of these things, though. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com