danny, real IP spoofing is extremely difficult and is ... involved. you don't go around spoofing IP addresses all day long. in fact, i have yet to see it myself.
however, faking your IP address during an SMTP session is as simple as pie. the downside is that you're not going to fool anybody. well, you're not going to fool people who know how to read headers. basically, there's one useful header you can trust: the received header. the received header can be forged, but forgeries always go "on top" of the real headers, which can't be removed or forged. you can easily detect where the email comes from by looking at the chain of receives. for example: this is what a normal received chain looks like. you are on host A. the person who sent you the email is on host E. Received from E by D Received from D by C Received from C by B Received from B by A here is what a forged received chain looks like. again, you're on host A, but the sender is on host Y. note the loss of continuity. Received from Y by Z Received from Z by C (3) Received from C by B (2) Received from B by A (1) the person at Y cannot delete headers (3), (2), and (1). this is a completely separate issue from what's contained in the From: header. that is completely forgable. forged headers will usually have the From: address pointing to a host different from Y. that's how you catch where forged email comes from. pete On Wed 03 Mar 04, 11:10 AM, Danny Webster > Pete, > > Good to know. What about the IP address, you can't even trust that can you > with IP spoofing can you? > > ----- Original Message ----- > From: "Peter Jay Salzman" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 03, 2004 10:59 AM > Subject: Re: [vox-tech] Viruses > > > > danny, > > > > there is no such user. > > > > you can't trust the message-id field to give you a correct email > > address. that's one header that is under full control of the person > > sending the email. > > > > pete > > > > > > > > On Wed 03 Mar 04, 10:57 AM, Danny Webster: > > > I tried emailing the listed email address and it was returned, so I > think it > > > would be safe to eliminate this user: > > > [EMAIL PROTECTED] > > > > > > Here is my sendmail record: > > > Mar 3 04:44:52 basiclab sendmail[30372]: i23Ci2ES030372: > > > from=<[EMAIL PROTECTED]>, size=31379, class=-60, nrcpts=1, > > > msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, > > > relay=ns1.livepenguin.com [66.218.54.136] > > > > > > Danny > > > > -- > > Make everything as simple as possible, but no simpler. -- Albert Einstein > > GPG Instructions: http://www.dirac.org/linux/gpg > > GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D > > _______________________________________________ > > vox-tech mailing list > > [EMAIL PROTECTED] > > http://lists.lugod.org/mailman/listinfo/vox-tech > > _______________________________________________ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech -- Make everything as simple as possible, but no simpler. -- Albert Einstein GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech