Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Is this email header an contain an IP spoof that has been spoofed?

  1. #1
    Junior Member
    Join Date
    Feb 2006
    Posts
    8

    Does this email header contain a spoofed IP address?

    I have a yahoo email account and I keep on getting scam emails asking me to go to a scam paypal website and enter my information. When I check the headers of this email I see this as the originating server and ip address...

    from mail.com (86-120-2-152.rdsnet.ro [86.120.2.152] (may be forged)). The server name looks like it's from Romania and a WHOIS search of the ip address shows it someone from Romanina.

    My question is, is this a spoofed IP address? Is that what "may be forged" means? Thank you.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well "spoofed" is just the IT term for "forged" in other walks of life, so I suppose the answer to your question is "yes".

    The interesting bit is who/what is suggesting the forgery, and how are they determining this?

    Also, how to wind these guys up?.................I don't know where you are but I would be inclined to visit the site and give them some bogus, but erroneous info.

    Here I would create a paypal account with nothing in it and watch the scam scum try to collect. If they get paid I would not give a crap because fringe operations like paypal are not "licenced credit brokers"..........................Heffner (Playboy) had his UK operation closed because he did not keep an eye on our laws in those areas so even big fish can be fried?


  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    First off all.. SMTP is TCP based. It is very, very difficult (if not impossible) to spoof a fully blown TCP connection across the Internet.. TCP spoofing can be done but it's highly unlikely..

    The "may be forged" refers to the reverse lookup done by the mailserver..
    http://www.sendmail.org/faq/section3.html#3.38
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi SirDice you are certainly on form today

    We have had this "reverse DNS" issue raised in several threads in the past, I believe? A lot of them don't work, so if you set your mailserver to drop them you are probably dropping a fair amount of legitimate mail?

    Hey, maybe we have a "live one" here


  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Checking forward/reverse lookups are nice but... I've noticed a lot of email servers where this doesn't work.. I've also run into several anti-spam solutions that checks to see if the sender is the same as the MX record for that domain. That doesn't work either.. And I'm not even going to mention the performance penalty (2-3 dns lookups per email.. Getting 10 emails a day is doable. Getting 10 every second is a whole other story)..

    The reasons are simple.. At my last job we had these same problems..

    The mail was split up into incoming and outgoing.. Both had different IP addresses.. So the MX record points to the incoming mailserver.. Checking our outgoing server's IP address didn't match with the MX record (the outgoing server wasn't accesseble from the outside).. So "they" thought we were spammers

    The other problem was network based load-balancing.. Different hostnames (injected by the mailserver) coming/going to the same IP address (because of the load-balancers).. This meant forward/reverse lookups didn't work either..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Feb 2006
    Posts
    8
    Thanks for your replies. Upon further review I think that the IP is probably not spoofed. I just received a scam ebay email that directs me to a scam ebay site. Below is a truncated version of the website address. I will post the entire address if it's permissable (I don't want to be accused of promoting traffic to a scam site).


    http://195.22.226.174/.ws/login/security/index.htm

    IP 195.22.226.174 is traced to Chisinau (a country between the Ukraine and Romania), probably the same guys. Also the header information in the ebay email give me this IP address...

    85.204.159.121

    A whois search of this address also says that it is from Romania. I don't think they are spoofing me. Again, probably the same guys and not a spoof. They found my ebay name and the email associated with my ebay account (and thus my paypal email address).

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    Also, how to wind these guys up?.................I don't know where you are but I would be inclined to visit the site and give them some bogus, but erroneous info.
    Hey Johnno,
    Are you sure this would be a good idea? Could this confirm for them that they have a "live" email address and set you up for getting a lot more spam? Also, there is no telling what else they may have waiting in store for visitors.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  8. #8
    Junior Member
    Join Date
    Feb 2006
    Posts
    8
    Originally posted here by preacherman481
    Hey Johnno,
    Are you sure this would be a good idea? Could this confirm for them that they have a "live" email address and set you up for getting a lot more spam? Also, there is no telling what else they may have waiting in store for visitors.
    Correct me if I'm wrong, but I think that they could only do this if I clicked on the link in my email or replied to them. If I simply copy the link from the email it shouldn't be an issue.

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    Good point. But still, it's possible they might try some other tricks on people visiting their "site" besides stealing personal information.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  10. #10
    Junior Member
    Join Date
    Feb 2006
    Posts
    8
    Originally posted here by preacherman481
    Good point. But still, it's possible they might try some other tricks on people visiting their "site" besides stealing personal information.
    Ah, I see what you mean... viruses or tracking cookies, right? My OS is patched, my browser is firefox (with very stringent security settings), I have a updated virus scanner and a firewall so I should be okay (I hope).

    I just received two more fake paypal emails and another fake ebay email. Man, what gives?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •