[Esd-l] ZIP scanning, take two (repost)
John D. Hardin
jhardin at impsec.org
Mon Feb 23 13:11:39 PST 2004
On Mon, 23 Feb 2004, Simon Matthews wrote:
> I'm not sure that I made myself clear.
>
> SA deduces (or is configured) to understand a set of mail relays that are
> considered trusted. It tracks the "received" headers from the first header
> and identifies the received lines beyond the trusted networks to find
> untrusted relays. Hence, even if a spammer puts in a fake received header
> that matches my private LAN ip addresses, SA will realize that these are
> fakes. If Procmail can do this, great. I'm just not sure that Procmail can
> do anything beyond scanning all the received lines for matching patterns.
Hrm. You have a point. I don't know about procmail separating the
headers into "trusted" and "untrusted" on a boundary like that, but if
you have a simple setup (one mail server handling internal mail, say)
then it's fairly simple to pick the single trusted Received: header
out of the mess, and determine where it received the message from
(inside vs. outside).
There's not a lot you can do about a spammer forging Received: headers
if they know your internal network layout. Balance that against the
amount of effort the spammer would have to put in to make a forged
Received header that fools your "local origination" test vs. the
amount of work needed to forge one that simply looks plausible, and I
think you're still going to come out on the winning side of the
equation. How much work is a spammer/worm/whatever going to put into
forging Received headers that are specific to your site?
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
40 days until the Slovakian Presidential Election
More information about the esd-l
mailing list