[no subject]

[scot <scot -at- HCI -dot- COM -dot- AU>]

>      Colleagues,

>         I have been living under a rock on Mars for the last few years, so
>      forgive me if I don't seem to be getting it -- but isn't it impossible
>      for a message poster to hide his return address, except by going to
>      such lengths as to send it to a message re-poster, who can strip the
>      message of the information that identifies its origin before
>      forwarding it?  Failing such strenuous measures, how does one hide
>      one's return address?


Generally, you can't, unless you are prepared to impersonate a machine, and
it takes some doing to do it properly. I mean, its fairly trivial to, if I
wanted to, configure my Windows PC here to thinks its, oh say
SMTPGATE.TESSERACT.COM, and tell my mailer program (Eudora) that I'm Mark I
Halpern <Mark_Halpern -at- SMTPGATE -dot- TESSERACT -dot- COM>, but then it would send the
message right up to the MTA (Mail Transport Agent) at devi.hci.com.au, my
mail gateway, which would immediately stamp its presence into the headers
(and in this case, generate a message ID with 'devi.hci.com.au' in the ID!).

Even if I chose to configure Eudora (my mailer) to pass the mail over to an
MTA on some other machine (lets say a large nearby host like
metro.ucc.su.oz.au or even something far away like mail.netcomm.com), I'm
still identified because those very same headers would also contain my -IP-
number. IP numbers are not so easy to impersonate ("packet spoofing"), but
its not impossible -- but if you -could- do that there are probably more
worthwhile, fun, and far more destructive things you could do with your
fiendish knowledge than spam a mailing list with flame bait.

Anyway, I couldn't probably then impersonate TO anything outside of what's
under my own personal control here, as the routing will be broken,
everything outside my own domain will only route 203.13.90.0 to this
network, if I impersonate, ohh say 202.12.88.99 to metro.ucc.su.oz.au then
it will route the return packets elsewhere (actually to a machine of mine at
home) and the attempted SMTP hack will not work. (Packet spoofing attacks
usually rely on one-way connections, you just have to get the spoofed packet
TO the machine being attacked, return packets are not needed, and this
cannot work for a protocol like SMTP which requires a fair bit of mutual
greeting to work). But I am no security expert so I'm not giving any
guarantees. ;^).

It's also possible that this forging is happening via someone's Netscape (in
fact that would be my bet, some misanthrope who has discovered that you
needn't put a -REAL- address in the 'identity' field), but the same
conditions apply.

The other possibility is it's being forged in the bit.listserv. newsgroup,
but then its a simple matter of finding the message in the newsgroup and
checking out its headers -- you can use the Path: line to work out which is
the first legitimate host even if the posting host is forged, which at least
gives some clues. Perhaps the mailing software can be configured to ignore
posts coming in from the newsgroup if they have an email address of one of
the mail list subscribers?

Eric: Can the listserv be configured to _preserve_ the path the message
travels through to get to the list software? I know majordomo (another
mailing list package) can do this. If already so, then at least part of the
answer as to who the message forger is lies in the headers (as I get the
digest, this stuff is stripped, but people who get the 'proper' list can at
least work out _where_ it came from).

Most mailers automatically hide this gumpf from the user so there's no need
for anyone to see it without wanting to.

ciao, scot.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
#include witty.quote.here.                 HCI Consulting, Sydney, AU
#include std.disclaimer.                       http://www.hci.com.au/
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-