Where did that spam come from?

How do we read the headers?

1. We read the headers from the bottom up.
   • SMTP provides no user security authentication, for instance - it does not care if you lie and tell it you are a user that does not exist on this (or any other system). This is why when you get a spam, often it looks like it is from a strange account name, and if you reply to it your message bounces. You see the spammers don't want to be found, at least via e-mail.
   • Note that to send an e-mail through a system, you don't have to authenticate as a user on that system.
   • SMTP does provide host authentication, see the treatment of AUTH below.
2. We can only believe things that are contained within [ ] square brackets
   • Note that in this capture of A TCP Session, an auth packet is sent FROM the server to the client. AUTH is a service that all mail servers run and is often called 'IDENT' or 'IDENT D' . It runs on port 113 TCP/UDP and is a service whereby a host that is a party to a TCP session effectivly runs a type of 'traceroute' to determine if the current TCP host is really the one that is establishing the connection.
   • Note that my host (10.1.2.75) sends a RST packet back, which is the correct thing for it to do. Now, if a netadmin does not allow auth (port 113 incoming) into their network, machines will not be able to maintain connections with things such as SMTP servers and HTTPS servers that are doing this AUTH in order to prevent TCP Hijacking or man-in-the-middle types of attacks.
   • Once my host (or another SMTP server on the internet) answers the AUTH request with a RST, then the SMTP server places the IP address of the host within [square brackets] which means for all practical purposes that the origination point of this TCP Port 25 connection is legitmate and this is not a hijacked session.
   • IMPORTANT !:
     The above assumption may no longer be valid. (I thank the student who showed me this article (web site no longer valid)). It appears that a group of Polish hackers who are running a business will, for a fee of $1500/mo provide you with the 'service' of hijacking TCP sessions for you. I have been looking around and have not at this time found any really good explanation of how they are doing this, but it appears that they have taken and hacked BIND which will rotate your host virtually all over the net, thereby making the AUTH work, but quickly moving the host AFTER it's TCP session. I believe that in order for this to work they also have to hijack your TCP session and move it around on the Net to where your host really resides.
3. We can determine where the e-mail originated by finding the first IP address that is within square brackets, reading the headers from the bottom up.
4. We continue reading the headers up, which shows us the various SMTP servers that the message came through.
5. How do we know if it is an open relay?
   • A host MAY relay mail, but a host should only relay mail from a domain that it has a trust realtionship with.
   • If you have an open relay that the spammers are using, at the very least your bandwidth is being stolen.
   • A whois lookup should reveal if one machine that relayed mail for another has a business relationship and should be configured as a relay.

• krnic # the Korean (South) whois server
• apnic # Asian-Pacific Network Information service, includes Polynesia, Austrailia, New Zeland, and most of Non-Former Soviet Asia
• ripe # European Network Information Service, Includes Asiatic Russia and former Soviet Block Nations as well as Africa and parts of Asia Minor (Saudi Arabia etc.)
• arin #Whois server for the Americas, including North and South America, and US possessions in the Pacific.