[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 30/03/13 07:15, tom wrote:
>
> Does your server write this to the header or just accept what its given?
The Received headers are written by the server that received it oddly
enough, and in order, thus we trust Pi, so we trust its received headers.
The reverse DNS suggests it is Yahoo, you need to check reverse DNS with
a forward lookup since the reverse DNS can point to anything the address
owner says. A quick whois also shows it is a Yahoo address.
Strictly whois can be faked, but it is less likely (does happen with big
spammers), forward DNS for the same name is more reliable since that
would require co-operation (or negligence) from the managers of the
yahoo.com domain name to forge.
Typically you trust the received headers whilst the received headers are
inserted by your machines (unless you've reason to believe your machines
are the insert point, or the mail log disagrees with the headers).
That a Yahoo server says it was injected using a Yahoo webmail client,
and that it emailed only addresses that the corresponding Yahoo webmail
account has emailed before, is good evidence it is a compromise of
security somewhere at Yahoo (end user of systemic). If it were the only
such email I'd received this month I'd be more suspicious, but the
evidence is quite clear on the likely origin. The other received headers
are consistent with injection by the IP address listed by the first
Yahoo server in the chain.
So worked exercise for the curious:
Email received claiming to be from the DCGLUG list sent by a Tom Potts...
Received: from pi.a-squared.co.uk (pi.a-squared.co.uk [37.128.189.136])
by lintel.vm.bytemark.co.uk (Postfix) with ESMTPS id 15BB31E464
for <simon@xxxxxxxxxxxxxx>; Sat, 30 Mar 2013 07:16:05 +0000 (GMT)
The top header says it came from pi.a-squared.co.uk (the IP address is
trustworthy, the name might be wrong depending what checks the mail
server performs). In this case I can check the name easily enough.
$ dig +short pi.a-squared.co.uk
37.128.189.136
Received: from localhost ([127.0.0.1] helo=pi.a-squared.co.uk)
by pi.a-squared.co.uk with esmtp (Exim 4.72)
(envelope-from <list-bounces@xxxxxxxxxxxxx>)
id 1ULq16-0004WK-Fv; Sat, 30 Mar 2013 07:15:56 +0000
Hmm that is slightly odd for a normal email, Pi got it from "localhost",
again I trust Pi, so presumably it is sent from a script (the DCGLUG
mailing list software), but also you might see spam filters or virus
checkers sending email from localhost.
Received: from smtp.hosts.co.uk ([85.233.160.19])
by pi.a-squared.co.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.72) (envelope-from <tompotts@xxxxxxxxxxxxxxxxxxxxxx>)
id 1ULq15-0004WD-SG
for list@xxxxxxxxxxxxx; Sat, 30 Mar 2013 07:15:55 +0000
Pi reporting how it got the email. Again I trust Pi, so I trust the IP
address, but the name and envelope-from are potentially from the sending
machine and not immediately reliable.
Quick "dig" confirms the name "smtp.hosts.co.uk" maps to the address given.
Received: from [213.246.94.96] (helo=[192.168.2.33])
by smtp.hosts.co.uk with esmtps (TLSv1:CAMELLIA256-SHA:256)
(Exim 4.72) (envelope-from <tompotts@xxxxxxxxxxxxxxxxxxxxxx>)
id 1ULq15-0001xV-7z
for list@xxxxxxxxxxxxx; Sat, 30 Mar 2013 07:15:55 +0000
Okay so smtp.hosts.co.uk is not known to me (well lets pretend so
anyway), and a suspiciously generic server name. But a quick check with
dig, and whois, show the domain and address are both registered to
"NAMESCO" who are reputable UK company. So I'm inclined to trust they
are accurate.
The "helo" here is suspicious. 192.168.2.33 is an RFC1918 reserved
private address. HELO is suppose to be unique. My email server would
probably (it weighs its options) reject an incoming email with such a
"HELO".
In this case it would appear to okay, since it is the first Received
header, so an example of email being injected at the origin as we expect
with SMTP, such a record in the middle of a list of Received headers
might suggest fakery. The IP address 213.245.94.96 is in NAMESCO-DSL7,
so seems likely it is a ADSL line.
At this point the chain is complete. A keen spam checking tool could
establish that the email addresses associated DNS records (MX,A) all
point to NAMESCO hosted servers, adding consistency to the mail
receiving experience.
Although Received headers can be faked, my experience is that this is
currently very unusual.
They are onerous to fake well (easy to fake badly), and since in most
cases where you care (spam filtering) you initially look to addressing
the first untrusted server that handed you the email, faking them
doesn't really gain spammers much. Particularly if they are using
botnets, when even if it is reported and fixed it is likely one of
thousands.
Some spam filters check Received headers for known spam sources, but
faking them would only allow you to add known spam sources, so would
only increase, and not decrease your chance of spam being filtered as spam.
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq