IANA reserved addresses in mail headers

**PacSec** · April 9th, 2004, 05:26 PM

In reviewing the headers on some spam I received I'm finding origination IP addresses in IANA reserved blocks. Aren't these addresses supposed to be blocked from use? Are they spoofed? If so, is there anyway to find the real sending address?

------------------------------------------------------------------------------------------
ex:

Received: from dochristsangareepf61 (incongruity[106.204.168.130])
by worldnet.att.net (nhjlbhs05) with SMTP
------------------------------------------------------------------------------------------

***SirDice*** · April 14th, 2004, 02:10 PM

It's probably spoofed. The last Recieved: header that actually resolves to something is usually the sender. Work your way down from the mailservers you know (most notably the ones from your provider) and trace/verify every Recieved: header.

***slarty*** · April 14th, 2004, 05:11 PM

Not all machines which email travels through need to have public IP addresses; as few as none could do if it's an internal mail.

So no, they need not be spoofed, they could be genuine (but as these IP addresses are not globally unique, they are not helpful in tracing)

slarty

Thread: IANA reserved addresses in mail headers

Thread Tools

Display

IANA reserved addresses in mail headers

Posting Permissions