[Exim] Hiding Source IP in RFC 822 Mail headers

Top Page
Delete this message
Reply to this message
Author: Jason Ostrom
Date:  
To: exim-users
Subject: [Exim] Hiding Source IP in RFC 822 Mail headers
Exim Experts:

I was wondering if there was some sort of technical countermeasure for
detecting when an abuser has modified the source IP address in the RFC
822 mail header.

For example, just today we received an unsolicited, malicious email
from what appears to be an AOL subscriber. In the expanded headers,
pasted below, it appears that the sender has somehow hidden the source
IP. I don't think this is the W32/Bugbear malicious code, it looks
more deliberate. I don't think that the Bugbear code actually modifies
the source IP in the header but I could be wrong.

How could I use my Exim MTA to do error detection, correction, or
notification of this, or is there no way of getting around this when
the sender's UA or MTA has modified the headers?

Here are the headers below. I don't think I am missing anything:

Return-path: <BLACKSMURF134@???>
Envelope-to: custserv@???
Delivery-date: Fri, 11 Oct 2002 15:29:05 -0500
Received: from [64.12.136.7] (helo=imo-m04.mx.aol.com)
        by mail.natelnetwork.com with esmtp (Exim 4.05)
        id 1806PB-0005yi-00
        for custserv@???; Fri, 11 Oct 2002 15:29:05 -0500
Received: from BLACKSMURF134@???
        by imo-m04.mx.aol.com (mail_out_v34.13.) id q.1a6.a14f021 (4246)
         for <custserv@???>; Fri, 11 Oct 2002 16:29:07 -0400 (EDT)
From: BLACKSMURF134@???
Message-ID: <1a6.a14f021.2ad88e93@???>
Date: Fri, 11 Oct 2002 16:29:07 EDT
Subject: PISS OFF
To: custserv@???
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="part1_1a6.a14f021.2ad88e93_boundary"
X-Mailer: AOL 7.0 for Windows US sub 10629
X-UIDL: WTd"!(Oi!!pTJ"!00o!!