funsec mailing list archives

Strange address in mail header

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Fri, 13 Jan 2006 08:25:20 -0500

A friend of mine who sends out a mailing list through another friend's
service was getting some non-deliveries and asked me to look at these.
Here's the interesting part of the header with some of the addresses and
names blanked out to protect the innocent:

Received: from daa20725rs002.friend2domain.com
(daa20725rs002.friend2domain.com [aaa.bbb.ccc.ddd])
        by inbound-mx20.atl.registeredsite.com (8.12.11/8.12.11) with ESMTP
id k07DjJg8029294
        for <friend1 () friend1domain com>; Sat, 7 Jan 2006 08:45:21 -0500
Received: from daa10354www002 ([1.4.167.11]) by
daa20725rs002.friend2domain.com with Microsoft SMTPSVC(5.0.2195.6713);

Friend1domain, friend2domain and aaa.bbb.ccc.ddd are phony, but the header
really does indicate that 1.4.167.11 is the origin of the message, and this
address shows up as IANA reserved, the way I see it. (you can also see that
friend1 is an Interland customer, but I think that's irrelevant, because
friend2 is the one at issue. 1.4.167.11 is spoofed, right?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Strange address in mail header Larry Seltzer (Jan 13)
- Re: Strange address in mail header Dr. Neal Krawetz (Jan 13)
  - RE: Strange address in mail header Gary Funck (Jan 13)
    - Re: Strange address in mail header Valdis . Kletnieks (Jan 13)