[Gllug] Spoofing?

Robert J. McKay robert at mckay.com
Sun Oct 14 12:31:25 UTC 2001


On Sun, 14 Oct 2001, Chris Bell wrote:

>    If you compare full headers from the genuine and spoofed mails, they are
> very different, despite attempts to copy lines. I thought someone was
> trawling the list some time ago, so I started including root at 127.0.0.1 in my

root at 127.0.0.1 isn't valid and wouldn't be delivered anyway. The correct
addressing would be root@[127.0.0.1] however it's unlikely the mailer
would take delivery of email for 127.0.0.1. Some mailers have taken to not
honoring IP based email addresses at all due to the fact that they're
"mostly used by spammers". They don't really have a use but IP based
emails are can be handy for sending a quick email somewhere you don't have
a proper mail setup.

Extending the idea even further you can do the same fun tricks as with
urls by writing the IP in hex or even decimal notation:

robert@[0x4227328c] 

(this still works.. I just tried it. but a lot of people probably won't be
able to mail to it as their local MTA will reject it ;)

and possibly you can even do:

robert@[010211631214]

The hex and decimal notation IPs never worked on all MTA's tho and I don't
think they're permitted in the RFCs they just happen to work with sendmail
and a few other popular MTAs. The actual IP based emails ARE part of the
RFCs tho' but for example Exim comes with IP emails disabled by default
and a strongly worded comment telling you not to enable it.

# If you want to accept mail addressed to your host's literal IP address, for
# example, mail addressed to "user@[111.111.111.111]", then uncomment the
# following line, or supply the literal domain(s) as part of "local_domains"
# above. You also need to comment "forbid_domain_literals" below. This is not
# recommended for today's Internet.

 local_domains_include_host_literals

I expect these addresses will gradually stop working and eventually
disappear as a result.

> sig file hoping to direct some junk mail to anyone in charge of the source
> network. This raised a few objections, so I stopped.

> Chris Bell

Robert McKay.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list