Thread: what can be trusted in email header?
View Single Post
  #2  
Old August 2nd 07, 04:35 PM posted to microsoft.public.outlook
F. H. Muffman
external usenet poster
  
Posts: 263
Default what can be trusted in email header?
"hba2pd" wrote in message
ups.com...
Hello,

In my previous posts, I got a following response

///////////////////
Peter Durkee wrote:
How can they fake these email header information?
They open up a telnet session and insert stuff there. I imagine
people created some software to do this too.
So it means that even if I run SPAMCOP to get information about the
originator of an email, this information is not still reliable and a
reasonably knowledgeable person can fake it.
There is information in the headers that you can trust, like the ip
address of the machine that handed off the message to your server,
and anything that happened after that transaction.

I'm not even sure I'd go so far as to say you can always trust the IP
address. While it is true the client can't tell the server that
header and
the server is the one that has to put it in there, there are ways to
fake a
source IP address.

And, even further, the originator isn't always the originator.
Consider a
hacked machine running a bot. It could be a end user box, it could be
a
server, but, that machine might be the one talking to the SMTP
server. So,
they are the 'originator' of the message, but, they aren't the reason
the
message exists. If that makes any sense.

That said, I'd trust being able to find the SMTP box that *accepted*
the
message on the Internet...
////

I think there are two opinions, one says that the IP address can be
trusted, and the other which says that it cannot. Would you advise me
which opinions are reasonable?



Being one of the people who posted to that thread, both are actually
reasonable.

Truly faking an IP address is hard. But it can be done. I wouldn't expect
a fake IP address on a generic spam. If someone was attacking you, stalking
you, whatever, then I might be more concerned.

So, while you can assume (generally) that the IP address is correct in a
spam message, I would *not* assume that that message was *purposefully* sent
from that address. That machine may have been infected with a virus or a
worm that is now sending out spam messages without the user knowing.

--
f.h.

Ads