[uanog] Re: sendmail's faked headers

Hello, On Wed, Nov 02, 2005 at 09:01:38AM +0200, Maxim Tuliuk wrote: MT> Вот получил жалобы на клиента, но у него версии sendmail какая указана MT> в header нету, nat и squid закрыты для внешнего мира - что может быть? Подделка. Это видно как минимум по двум признакам: - формат queue id не соответствует sendmail'у; - время в Received sendmail'а должно содержать имя TZ. Тут указано просто смещение относительно UTC. MT> [ Offending message ] MT> Received: from unknown (192.168.1.103) MT> by blade6.cesmail.net with QMQP; 1 Nov 2005 09:23:35 -0000 MT> Received: from vmx3.mail.widexs.nl (213.206.122.202) MT> by mx53.cesmail.net with SMTP; 1 Nov 2005 09:23:34 -0000 MT> Received: from [213.206.122.195] (helo=mx1.mail.widexs.nl) MT> by vmx3.mail.widexs.nl with esmtps (TLSv1:AES256-SHA:256) MT> (Exim 4.44) MT> id 1EWsLq-0003l1-FO MT> for x; Tue, 01 Nov 2005 10:22:42 +0100 MT> Received: from [193.109.60.78] (helo=realkiev.com.ua) MT> by mx1.mail.widexs.nl with smtp (Exim 4.44) MT> id 1EWsLq-0000Y3-3S MT> for x; Tue, 01 Nov 2005 10:22:42 +0100 MT> Received: from mgate.chello.at (mgate.chello.at [213.46.255.2]) MT> by realkiev.com.ua (8.12.11/8.12.11) with ESMTP id tnQl1Cri2VCyHF MT> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MT> for <x>; Tue, 1 Nov 2005 04:23:16 -0500 MT> Received: from linx (6.248.240.119) MT> by mgate.chello.at (qmail-ldap-1.03) with SMTP MT> for <x>; Tue, 1 Nov 2005 04:23:16 -0500 MT> Received: (qmail 28513 invoked from network); 1 Nov 2005 14:31:45 -0000 MT> Received: from unknown (66.218.66.216) MT> by m7.grp.scd.yahoo.com with QMQP; 1 Nov 2005 14:31:45 -0000 MT> Received: from unknown (HELO realkiev.com.ua) (193.109.60.78) MT> by mta1.grp.scd.yahoo.com with SMTP; 1 Nov 2005 14:31:44 -0000 MT> Received: from ironport01.ewr.datapipe.net MT> by realkiev.com.ua (8.9.3/8.9.3) with SMTP id dUPHN7U69ouL MT> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MT> for <x>; Tue, 1 Nov 2005 09:32:17 -0500 MT> Received: from ensim (123.167.39.36) MT> by ironport01.ewr.datapipe.net (8.12.3 da nor stuldap/8.12.3) with SMTP id bcEVYNT9Cwrj MT> for <x>; Tue, 1 Nov 2005 09:32:17 -0500 MT> Received: (qmail 1611 invoked from network); 31 Oct 2005 20:48:57 -0000 MT> Received: from unknown (HELO outbound28-2.lax.untd.com) (10.130.26.58) MT> by scanmaildb02.lax.untd.com with SMTP; 31 Oct 2005 20:48:57 -0000 MT> Received: (qmail 15502 invoked by uid 514); 31 Oct 2005 20:48:57 -0000 MT> X-Issue-Tag: .catch_spam_mail MT> Delivered-To: support-netzero-net-spamdesk-spam@support.netzero.com MT> Received: from webmail10.lax.untd.com (webmail10.lax.untd.com [10.131.27.150]) MT> by mp03.lax.untd.com with SMTP id AABBYPAZFABAGG3S MT> for (sender <X>); MT> Mon, 31 Oct 2005 12:47:33 -0800 (PDT) MT> X-UNTD-OriginStamp: QoD8nvBD4Y2XoIL2PStDwxwHx0wnu0oGExnzFIw3a8bOJkhFP+J1Vg== MT> Received: (from X) MT> by webmail10.lax.untd.com (jqueuemail) id K8NVX9QZ; Mon, 31 Oct 2005 12:46:36 PST MT> Received: from mx05.lax.untd.com (mx05.lax.untd.com [10.130.24.65]) MT> by maildeliver13.lax.untd.com with SMTP id AABBYNP8GA5T22S2 MT> for <X> (sender ); MT> Mon, 31 Oct 2005 07:27:03 -0800 (PDT) MT> Received: from 193.109.60.78 (realkiev.com.ua [193.109.60.78]) MT> by mx05.lax.untd.com with SMTP id AABBYNP8GADR3SRA MT> for <X> (sender ); MT> Mon, 31 Oct 2005 07:27:02 -0800 (PDT) MT> Received: from mail.amico.com (mail.amico.com [209.217.88.194]) MT> by 193.109.60.78 (8.12.11/8.12.11) with ESMTP id 9Uhs7MCqisYiEC MT> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ MT> for <X>; Mon, 31 Oct 2005 10:28:13 -0500 MT> Received: from unknown (36.127.143.25) MT> by mail.amico.com (qmail-ldap-1.03) with SMTP MT> for <X>; Mon, 31 Oct 2005 10:28:13 -0500 MT> -- MT> Maxim Tuliuk MT> WWW: http://primats.org.ua/~mt/ MT> ICQ: 21134222 -- Vsevolod Volkov (VVV-UANIC) =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message