Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: what's this (email question)

what's this (email question)

From: Glenn English <ghe_at_slsware.com>
Date: Fri, 29 Apr 2005 17:51:30 -0600

Email with headers similar to this has begun showing up in my spam box.
The last (and only) Received: says it came from localhost.

Am I owned? :-)

I didn't think it is possible to forge the last Received:. I've been
getting bounces for mail never sent from here, but I just assumed it was
a spammer forging my domain name. Maybe not?? I notice Spamassassin says
the HELO was forged -- I don't understand how this could happen.

(server.slsware.com is my SMTP server. indra.net is a local ISP, with
whom I have an account; I have a .forward to myself at slsware in my
directory at indra.)

--------------------------------------------------------------
From faygaspar_at_flowcadillac.com Fri Feb 11 16:54:29 2005
Received: from localhost by server.slsware.com
        with SpamAssassin (2.64 2004-01-11);
        Fri, 11 Feb 2005 16:54:31 -0700
From: "Alfonso Sprague" <faygaspar_at_flowcadillac.com>
To: barrett_at_indra.net
Subject: ***SPAM*** Mortgage New Update
Date: Sat, 12 Feb 2005 01:50:08 -0300
Message-Id: <2QBVlvR91d_at_knowhow.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on
server.slsware.com
X-Spam-Pyzor:
X-Spam-Status: Yes, hits=5.5 required=5.0
tests=FORGED_RCVD_NET_HELO,NO_COST,
        RATWARE_EMWAC autolearn=no version=2.64
X-Spam-Level: *****
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_420D45B7.2C897397"
X-Bogosity: Yes, tests=bogofilter, spamicity=0.999777, version=0.13.7.2,
algorithm=fisher
Status: RO
X-Status:
X-Keywords:
X-UID: 37323
--------------------------------------------------------------

My MTA's Received: usually looks something like this:

--------------------------------------------------------------
Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net
        [204.127.202.55]) by mail.slsware.com (Postfix) with ESMTP
        id 81D13FB9D for <ghe_at_slsware.com>; Fri, 29 Apr 2005
        16:23:17 -0600 (MDT)
--------------------------------------------------------------

mail and server.slsware.com are the same machine and IP. Postfix calls
it mail, and reverse DNS *on that machine* calls it server. Reverse DNS
from the Internet calls it something having to do with an unused block
(long story). 

-- 
Glenn English
ghe_at_slsware.com
GPG ID: D0D7FF20

Received on May 02 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]