[Coco] yahoo groups

John E. Malmberg wb8tyw at qsl.net
Fri Apr 20 19:30:25 EDT 2007 

Roger Merchberger wrote:
> Rumor has it that Gene Heskett may have mentioned these words:
>> ... if the X-Originating-IP: header can be believed.
> 
> Yes, but can it? Anything X* in the headers is optional, and it depends 
> on if *your* server is inserting that header, or if it's coming from the 
> other end of the SMTP conversation - if it's from the other end, it can 
> (and probably is) spoofed to try to look legit.
> 
> What do your Received: headers say? Also, what are you running for an MTA?

X- headers that you did not add your self can not be trusted.  Spammers 
have been spoofing the commonly used ones for over a decade.

Also the valid X headers that indicate originating I.P. is usually that 
of the user that connected to the mail server, not the mail server it 
self.  You can check if that I.P. is in a anti-spam database as part of 
the decision on how to process the e-mail.

What spammers can not spoof is the rDNS for the I.P. address that your 
mail server accepted the e-mail from.

 From what I have been told, it has been an RFC requirement that every 
server connected to the Internet have a valid rDNS.  In that if you do a 
lookup of the I.P. address, you get a name, and if you look up that 
name, you can find the original I.P. address.

Unfortunately there are apparently a few major legitimate e-mail sources 
that are publishing broken rDNS values so you can not just reject all 
rDNS failures.  From the estimates I have seen, rejecting on bad rDNS 
will get you a noticeable false positive rate of between 1 and 10 
percent.  Sad, because fixing an rDNS problem is trivial for a network 
owner, and it is a trivial check which just about every commercial mail 
server product can enable.

However, many major mail servers like AOL are now refusing e-mail from 
sources with no rDNS at all, and have been for quite some time.

Do not expect the rDNS domain name to have any relationship to the 
domain name that the e-mail claims to come from.  While it is usually 
the same, in quite a few legitimate cases it is not.

Your mail server should be writing a line in the headers that shows the 
  host name that the sending mail server claimed to be (can be forged), 
and in parentheses, the rDNS name and the I.P. address of the sender 
which can not be forged.

Every other line in the message header is suspect and can be forged.

-John
wb8tyw(at)qsl.net

More information about the Coco mailing list