General discussion


Read e-mail headers to determine forgery

By debate ·
How does your organization handle unsolicited e-mail? What solutions do you suggest? How big of an issue is spam for your company? Share your comments about dealing with unsolicited e-mail, as discussed in the June 21 Internet Security Focus e-newsletter.

If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

NO issue

by Oz_Media In reply to Read e-mail headers to de ...

Spam? Gone. Nada, MAYBE one or two a day for an entire organization.


Collapse -

No weapon I would not use against Rome

by Roger99a In reply to Read e-mail headers to de ...

Scanario: 300 users that think Webshots, e-cards and Hotbar are cool. Result: some users get 200 to 300 spams a day

I have spent countless hours pouring over email headers using the reporting capabilities of Symantec's Mail Gateway program. It's a good program with one exception: it cannot block entire subnets by ip address. This can be done at the firewall, but there is no reporting using this method so I can't prove how much spam has been blocked or check for false positives. I started this after a couple of months using the program in order to get a baseline measurement. Otherwise it's great for showing the CFO the 500 spams he would have gotten this weekend had you not implemented the filter. Reports can be exported to .csv files and viewed/sorted in Excel which is real handy. Spam can be blocked by domain, subject line or DNSBL lookup. I would suggest setting up an internal DNSBL. It's useful for filtering non-spam advertising and blocking IP's sending virus attacks. My many hours of work have produced a 95%+ reduction in unwanted emails. The low cost solution would be to set up a Sendmail relay that can be easily configured to check DNSBL lists. I think the results would be about an 80% reduction for very little time, very little cost, no anti-virus and limited if any reporting capabilities.

Collapse -

Time ripe for a major change?

by ChuckR314159 In reply to Read e-mail headers to de ...

I'm neither an email or security expert, so maybe this isn't possible, but it seems to me that their is a profitable opportunity for some entity to implement a new approach to email...

I would like to see someone develop a closed email network, or perhaps you'd call it a controlled gateway. The basis for this network would be a very simple rule. Members of the network do not want any emails from a source that is not completely identifiable or traceable. I'm guessing perhaps the identification would occur thru the use of certificate authorities. Then somewhere along the line, I can simply block all emails that do not pass thru this gateway.

I'd not be blocking spammers, legitimate marketers or anybody from sending me email (at least initially). You can stay in business and try to solicit me. Just so long as you can first prove who and where you are so that I can effectively block you if I don't want any more offers, or I can report you if you do something dastardly.

I'm sure it would take some time to reach critical mass. But what would otherwise be the feasibility or downside of such an approach?


Collapse -

Two other methods

by Roger99a In reply to Time ripe for a major cha ...

I have seen two other methods that are somewhat similar to what you have proposed. One is a system that requires a successfull reverse DNS lookup against the mail server. Another requires anyone who wants to send an email to the system to go to a web page first and register their email address.

Collapse -

Training You SMTP SPAM Filter

by torque9 In reply to Read e-mail headers to de ...

An added method that I'm very fond of in SPAM Filtering software is the ability to allow administrator the ability to update and train the Filter. This is done by collecting False Positive and False Negative messages from users or directly from collected Message Areas in the SPAM Filter.
The benefit of this added method is that you meet your organization specific needs of what it qualifies as SAPM messages, as opposed to just relying on the Vendor's configuration files to identify SAPM.

Collapse -

how to find the real sender?

by ronald_dai In reply to Read e-mail headers to de ...

Thanks for the very interesting message ("Read e-mail headers to determine forgery" by Jonathan Yarden). But I still have some concern about the example given in the article. The article taught us how to find out if an email is forged by finding out whether the address of "Received" (i.e. in the article) to be real. However, how can we know the real
original sending address(I am interested in this
because I am receiving tons of forged mails, many of them coming with virus)?

Collapse -

IP Address

by Roger99a In reply to how to find the real send ...

Find the IP address in the message header and check it against the whois at or run an nslookup against it. Arin will often have usefull contact information and I have used it to inform other admins of viruses on their networks.

Related Discussions

Related Forums