On Fri, 28 Aug 2003, Bret Comstock Waldow wrote:
> If there's a definitive way to be sure of the origin of an email, I'd
> like to know that's so, and how to determine it.
Try a little test.
Mail yourself an absolutely minimal message by doing an smtp session
manually and see what arrives. eg:
<bash>
[EMAIL PROTECTED] telnet a2.scoop.co.nz 25
Trying 203.96.152.68...
Connected to a2.scoop.co.nz.
Escape character is '^]'.
220 a2.scoop.co.nz ESMTP Sendmail; Fri, 29 Aug 2003 12:11:54 +1200 (NZST)
helo foobar
250 a2.scoop.co.nz Hello eth1383.nsw.adsl.internode.on.net [150.101.203.102], pleased
to meet you
mail from: <andrew>
553 5.5.4 <andrew>... Domain name required for sender address andrew
mail from: <[EMAIL PROTECTED]>
250 2.1.0 <[EMAIL PROTECTED]>... Sender ok
rcpt to: <[EMAIL PROTECTED]>
250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
.
250 2.0.0 h7T0BsgV076791 Message accepted for delivery
quit
221 2.0.0 a2.scoop.co.nz closing connection
Connection closed by foreign host.
</bash>
I then recieve the following. Exactly what you recieve will depend
somewhat on which mail software you run.
<message>
Return-Path: <[EMAIL PROTECTED]>
Received: from foobar (eth1383.nsw.adsl.internode.on.net [150.101.203.102])
by a2.scoop.co.nz (8.12.9/8.12.9) with SMTP id h7T0BsgV076791
for <[EMAIL PROTECTED]>; Fri, 29 Aug 2003 12:12:30 +1200 (NZST)
(envelope-from [EMAIL PROTECTED])
Date: Fri, 29 Aug 2003 12:11:54 +1200 (NZST)
From: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
To: undisclosed-recipients:;
X-Loop: [EMAIL PROTECTED]
X-Spam: unknown; 0.00; foobar:01 example:12 com:30
X-Bogosity: No, tests=bogofilter, spamicity=0.025957, version=0.13.7.2
X-DCC-SdV-Metrics: a2.scoop.co.nz 1179; Body=0
</message>
Looking at the Recieved header (the top one if there's more than one), you
can tell which machine delivered it to your server (150.101.203.102).
The name it reports for itself (foobar) might as well not be displayed,
and the name found by DNS lookup (eth1383.nsw.adsl.internode.on.net) may
not be reliable if the spammer has control over the appropriate DNS PTR
record.
The Date, From, To and Message-ID headers here have been added by my
system, but if they were present in the original, then they would have
been passed through un-modified. They should not be relied upon.
Message-ID used to be a surprisingly good way to catch spammers out, but
that's a long time ago now.
All those X-* headers are added by my procmail rules or things added from
there. Everything else is generated by my mail daemon based on the
limited info it recieved from the SMTP session.
This is the most important bit: *any* other header that might appear in
another recieved message was part of the body of the delivered message and
cannot be trusted. It might be that the message has been relayed through
a bascially trustworthy server whose headers you can trust, but then again
those headers might be spoofed.
You really don't have much you can rely on besides the IP of the machine
(from the Recieved header) which sent the email to your server. In the
case of Sobig.F however, this is the IP of the infected machine. That's
good information, but you still don't have a contact address for the user.
Supposing you want to chase this up, the only thing you can really do is
to chase down the owner of that block of IP addresses and ask them to pass
on the message. They'll need the IP and the time when it happened (for
dynamic IPs). They probably won't bother with it unless you send full
headers, and even then they get so many of these they may not bother
anyway. Don't expect them to tell you what they do or don't do.
Andrew McNaughton
--
No added Sugar. Not tested on animals. May contain traces of Nuts. If
irritation occurs, discontinue use.
-------------------------------------------------------------------
Andrew McNaughton In Sydney
Working on a Product Recommender System
[EMAIL PROTECTED]
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
