Christmas spam from RESERVED IANA adressblock ?

JF Mezei jfmezei at vaxination.ca
Thu Dec 25 01:09:19 CST 2008


James Hess wrote:

> RFC1918 addresses should also never be found in mail headers of any
> messages being exchanged over the internet..  


One need to understand the Received: headers and their order.

Private address space is perfectly legitimate. Very common in the early
part of transport and often seen in the last delivery in large
organisations that have multiple distributed SMTP servers.

What is important is for a recipient to know which Received: header he
can trust.

The only IP address you can trust are the one inside your own
organisation, and the IP address that sent the message to your
organisation. All other Received: headers below that to be considered
fake unless proven otherwise.

In the above case, it appears that the message arrived within the
organisation from a public IP address, and then was sent to another host
within the organisation via private address space.

It is also important to note that the topmost header was able to reverse
translate the 10.*.*.* IP which implies that it was internal to the
organisation, using an internal DNS server which makes it more
legitimate since it is within that organisation.





More information about the NANOG mailing list