[Mimedefang] On pinheaded ISP's (sort of OT)
David F. Skoll
dfs at roaringpenguin.com
Mon Jan 29 16:27:06 EST 2007
Philip Prindeville wrote:
> Having to present all of the headers (or, really, just the Received:
> headers) isn't reliable for the very reason that you point out:
> they can be forged.
> Logs can't.
Logs can't be forged? :-)
I guess that explains this log snippet from my server:
Jan 29 16:15:33 www sendmail[16853]: l0TLCSk4016853:
from=<philipp_subx at redfish-solutions.com>, size=9385, class=0,
nrcpts=1, msgid=<99BE633A.9000306 at redfish-solutions.com>, proto=ESMTP,
daemon=MTA, relay=mail.redfish-solutions.com [71.36.29.88]
Jan 29 16:15:33 www mimedefang.pl[15864]: CanIt: l0TLCSk4016853:
what=accepted, stream=nolinks, nrcpts=1, relay=71.36.29.88,
sender=philipp_subx at redfish-solutions.com, subject=IMPR0VE Y0UR S3X LIFE!!!!!!
Jan 29 16:15:34 www sendmail[16858]: l0TLCSk4016853:
to="|/var/mailman/mail/mailman post mimedefang",
ctladdr=<mimedefang at lists.roaringpenguin.com> (8/0), delay=00:00:01,
xdelay=00:00:01, mailer=prog, pri=32104, dsn=2.0.0, stat=Sent
I've altered those logs in 7 different places. Find the forgeries.
Here's why I would demand headers: Yes, you can forge headers. But
you can also forge logs. So asking for more evidence makes a potential
forger work harder, and makes him more likely to make a (detectable)
mistake.
Regards,
David.
More information about the MIMEDefang
mailing list