From owner-freebsd-security Wed Dec 6 2:43:17 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 6 02:43:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from aurora.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id EBB7037B400 for ; Wed, 6 Dec 2000 02:43:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by aurora.scoop.co.nz (8.9.3/8.9.3) with SMTP id XAA11689; Wed, 6 Dec 2000 23:42:58 +1300 (NZDT) Date: Wed, 6 Dec 2000 23:42:57 +1300 (NZDT) From: Andrew McNaughton Reply-To: andrew@scoop.co.nz To: "Arthur W. Neilson III" Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <200012052125590600.07C1781E@smtp> Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's tempting when reading mail headers to start working up from the last Recieved header, but this is unreliable. It is becoming common place to see forged Recieved headers. In this case, starting from the top, each line looks credible above the 'From:' line. The next 3 lines are worth a bit of thought. I believe the line saynig that the server which knows itself as mail.iconz.co.nz, but is known to the world as etrn.iconz.co.nz (iconz.co.nz primary mail exchanger) recieved the mail. If it had assigned the Message-Id, I would expect that to appear above the 'Recieved' line. I very much doubt that it assigned the 'From' address either. The line below these two is also forged. How on earth could a machine on Iconz network in new zealand recieve a message from germany on a private IP number? I figure this is simply forged. The IPs could have resulted from someone using an open relay behind an network address translating gateway, and I don't know enough about "QuickMail Pro Server for Mac 2.0.1" to be sure that it doesn't have a bug which means it can pass on messages without adding a Message-ID header when required, but I don't see any innocent explanations for the location of the From header. Therefore, my reading of these headers is that the originator was the user who was on iconz dialup line with IP 210.48.60.242 at Wed, 6 Dec 2000 18:22:19 +1300. I've dealt with iconz staff over mail abuse issues in the past and found them pretty responsive. I suggest you get in touch with them. They have been bought out by asiaonline, and I seem to remember finding one or other of the abuse@ addresses was missing last time I needed to contact them. Try abuse@asiaonline.co.nz. Andrew McNaughton On Tue, 5 Dec 2000, Arthur W. Neilson III wrote: > Date: Tue, 05 Dec 2000 21:25:59 -1000 > From: "Arthur W. Neilson III" > To: freebsd-security@FreeBSD.ORG > > Hey guys, take a look at the headers from this posting to freebsd-security. > It apparently is from tom@pilikia.net however there is no "tom" at pilikia.net, > no one uses my system except for me. Looks like someone at 62.159.146.73 > (mail.soan.de) knows how to forge the from line, whoopie. So what's the best > way to deal with this problem? > > Thanks! > > > Return-Path: > > Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by > pilikia.net (8.11.1/8.11.1) with ESMTP id eB65QvK28925 for ; Tue, 5 > Dec 2000 19:26:57 -1000 (HST) (envelope-from owner-freebsd-> security@FreeBSD.ORG) > > Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by > mx1.FreeBSD.org (Postfix) with ESMTP id 68D1E6E2E34; Tue, 5 Dec 2000 > 21:25:26 -0800 (PST) > > Received: by hub.freebsd.org (Postfix, from userid 538) id 4900037B6B7; Tue, 5 > Dec 2000 21:25:23 -0800 (PST) > > Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with > SMTP id BE47F2E8183; Tue, 5 Dec 2000 21:25:22 -0800 (PST) > > Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 5 Dec 2000 21:25:22 -0800 > > Delivered-To: freebsd-security@freebsd.org > > Received: from mail.iconz.co.nz (etrn.iconz.co.nz [210.48.22.36]) by > hub.freebsd.org (Postfix) with ESMTP id 4A46837B69C; Tue, 5 Dec 2000 21:24:56 -> 0800 (PST) > > Received: from creativejuice.co.nz (ip-210-48-60-242.iconz.net.nz [210.48.60.242] > (may be forged)) by mail.iconz.co.nz (8.9.3/8.9.3) with ESMTP id > SAA043700976080139; Wed, 6 Dec 2000 18:22:19 +1300 (NZDT) > > From: tom@pilikia.net > > Message-Id: <200012060522.SAA043700976080139@mail.iconz.co.nz> > > Received: from [62.159.146.73] by [192.168.1.2] with SMTP (QuickMail Pro Server for > > Mac 2.0.1); 06-Dec-2000 18:23:08 +1300 > > To: > > Subject: Search Engine Optimization Kit-2001 24123 > > Date: Wed, 06 Dec 2000 00:16:29 -0500 > > MIME-Version: 1.0 > > Content-Type: text/html; charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > X-Priority: 1 > > X-MSMail-Priority: High > > X-Mailer: Outlook Express > > X-Originating-IP: > > Sender: owner-freebsd-security@FreeBSD.ORG > > X-Loop: FreeBSD.org > > Precedence: bulk > > -- > __ > / ) _/_ It is a capital mistake to theorise before one has data. > /--/ __ / Insensibly one begins to twist facts to suit theories, > / (_/ (_<__ Instead of theories to suit facts. > -- Sherlock Holmes, "A Scandal in Bohemia" > Arthur W. Neilson III, WH7N - FISTS #7448 > Bank of Hawaii Tech Support > http://www.pilikia.net > art@pilikia.net, aneilson@boh.com, wh7n@arrl.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Andrew McNaughton Scoop Media Ltd andrew@scoop.co.nz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message