[PLUG] What's Wrong With This IP Address?
Tim
tim-pdxlug at sentinelchicken.org
Sun Apr 13 22:11:59 UTC 2008
> But to
> the question "If a direct connection can be made with a spoofed IP
> address ..." - this is email we are talking about, yes? (a) It isn't
> new, and (b) it is possible the IP has no relationship to the actual
> point of origin.
Well... Here's my take on it. The big question is: who added that
Received header? Any number of forged Received headers are trivial to
add before the spammer sends it on to it's destination or relay, but
once it is out of her control, the Received headers are usually
relatively trustworthy. The big question is, what is the first
trustworthy Received header? Remember these are stamped in a stack of
sorts, with the oldest toward the bottom.
Assuming you can trust the Received header (i.e. the server that stamped
it is trustworthy), then the likelihood of a spammer spoofing a TCP/SMTP
converstaion is likely very low. Provided you're using an even remotely
recent operating system, then you should have mostly unpredictable TCP
sequence numbers and an attacker would generally need to guess these in
the right order to keep the conversation alive long enough to complete
the transaction*.
Hope that answers your question on spoofing,
tim
* There are exceptions to this. If the target mail server honors loose
source routing, an attacker could spoof the source address while
embedding her real address in the list of routers. It is my
impression that few, if any, hosts will allow this and certainly
firewalls generally block these headers. Within a local network
these attacks are often still possible though.
More information about the PLUG
mailing list