[Esd-l] ZIP scanning, take two (repost)

John D. Hardin jhardin at impsec.org
Mon Feb 23 13:11:39 PST 2004

On Mon, 23 Feb 2004, Simon Matthews wrote:

> I'm not sure that I made myself clear.
> SA deduces (or is configured) to understand a set of mail relays that are 
> considered trusted. It tracks the "received" headers from the first header 
> and identifies the received lines beyond the trusted networks to find 
> untrusted relays. Hence, even if a spammer puts in a fake received header 
> that matches my private LAN ip addresses, SA will realize that these are 
> fakes. If Procmail can do this, great. I'm just not sure that Procmail can 
> do anything beyond scanning all the received lines for matching patterns.

Hrm. You have a point. I don't know about procmail separating the
headers into "trusted" and "untrusted" on a boundary like that, but if
you have a simple setup (one mail server handling internal mail, say)
then it's fairly simple to pick the single trusted Received: header
out of the mess, and determine where it received the message from
(inside vs. outside).

There's not a lot you can do about a spammer forging Received: headers
if they know your internal network layout. Balance that against the
amount of effort the spammer would have to put in to make a forged
Received header that fools your "local origination" test vs. the
amount of work needed to forge one that simply looks plausible, and I
think you're still going to come out on the winning side of the
equation. How much work is a spammer/worm/whatever going to put into
forging Received headers that are specific to your site?

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   40 days until the Slovakian Presidential Election

More information about the esd-l mailing list