Quote:
jonathans_daddy, So what you're saying is, that a malicious user can add as many Received: fields as they want to an email and even attach valid IP's to make it seem like the email did indeed go through mail servers that it never did?.
Yes, but some servers (like mine) will refuse to accept the message if there are too many (>25 if memory serves) recieved headers because it assumes the message is bouncing back and forth between a couple of misconfigured servers.
Quote:
Is it possible that a malicious user who received an email from my company at some point, to expand the full valid path in the email header, then use any old random mail server, forge in the appropriate Received: fields (that they copied from a valid email my company sent) with valid IP's and mail servers and create an email that for all practical purposes, will appear to have come from within my network?
Yes. Would you like a demonstration? What's your email address?
Quote:
It would seem that if that is indeed the case, the only way to determine if an email originated from within my network would be to actually monitor all outgoing emails (which we currently do) and tracing emails through server transactions, would be utterly pointless.
Log files work well for determiing whether a message truly came from within your network.
Quote:
**note - I just thought about something else. Don't the mail servers keep records of transactions? Wouldn't it be possible to take an email, even with Received fields that made it appear as though it came from within my network and compare it to some database on the actual mail server itself? I know most (if not all) mail servers attach an ID number to the transaction. no?
If your mail server keeps such a database, then yes. Mine doesn't so I use the logfiles.