[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-virus
Subject:    Re: Re: spoofed source addresses
From:       Michel Messerschmidt <lists () michel-messerschmidt ! de>
Date:       2002-08-07 19:54:51
[Download RAW message or body]

On Tue, Aug 06, 2002 at 12:18:22PM -0700, silence@hush.com wrote:
>
> My idea was never intended to be a cure-all. I still maintain that it
> could be useful as part of a spam/virus detection system, where an    
> IP/domain mismatch would be one of several characteristics flagged as
> "potentially suspicious". Different suspicion scores would result in 
> different actions. For example, matching a known viral sig would be 
> pretty damn suspicious, or if the IP doesn't match the sending domain
> *and* messages with identical checksums were sent in the last x hours to
> y number of local users, etc.  Perhaps I could have been more clear in   
> my original description that this is just an *idea* that is *part* of a 
> larger system. 
> 
> *Helpful, non-abusive* suggestions or ideas welcomed.
 

IMHO it would be useful to do such mismatch detection for your own local 
domain.
While better firewalls can prevent external connection attempts claiming to 
come from the local net they are based only on ip addresses and network 
interfaces. 

To detect faked mails claiming to come from your local domain (think of 
'delivery failure' messages sent by Yaha using false FROM hostnames), it 
would be useful to compare the given hostname with your (known) local ip 
range on the mailserver and deny delivery if it doesn't match (of course 
only for hostnames considered local). 

Any other mismatch detection is most likely not reliable enough (it's even a 
matter of how trustworthy nameservers are). 

Just my 0.02$,
Michel 

 --
Michel Messerschmidt
9messers@informatik.uni-hamburg.de
http://www.michel-messerschmidt.de 

[prev in list] [next in list] [prev in thread] [next in thread]