[Esd-l] Spoofed email addresses
John D. Hardin
jhardin at impsec.org
Fri Jun 14 07:12:01 PDT 2002
On Fri, 14 Jun 2002, Paul Ferwerda wrote:
> From looking at the headers it looks like the Return-Path was
> forged. Is there any way to deal with this short of not
> notifying?
There's a limit to how smart the sanitizer can be made, and you can
only really catch forgery of invalid addresses. If a work running at
ferwerda.net forges the sender address as <paul at ferwerda.net>, how can
you (even manually) tell that's not valid?
> >> > From Culsart at azstarnet.com Thu Jun 13 17:38:58 2002
> >> > Return-Path: <Culsart at azstarnet.com>
> >> > Received: from Txkzxn (dhcp825.mc01.dsl.fastucson.net [169.197.11.57])
> >> > by cepheus.azstarnet.com (8.9.3/8.9.3) with SMTP id PAA14156
> >> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 15:38:45 -0700 (MST)
This one is the original delivery. If there was some automated way to
query the ISP for which of their clients had 169.197.11.57 at that
time, then we might be able to notify something close to the correct
user.
Klez is a serious pain in the butt.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"To disable the Internet to save EMI and Disney is the moral
equivalent of burning down the library of Alexandria to ensure the
livelihood of monastic scribes."
-- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
343 days until The Matrix Reloaded
More information about the esd-l
mailing list