> On Jul 27, 2016, at 11:24 PM, Roger Goh <gpro...@gmail.com> wrote:
>
> Can source (ie smtp.zzzbank.com.au & srvm02.zzzbank.com.au below)
> & the IP addresses be spoofed?
Your question is not sufficiently clearly stated.
> Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
> (10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
> 17:07:22 +0800
> Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1]) by
> srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
When "ZZZWVEXC01ZZ.bbb.com.au" is receiving the inbound email, the source
IP address can only be "spoofed" by an "on-path" man-in-the-middle attacker,
able to intercept network packets directed to "10.98.2.87", and thus maintain
a TCP session for the transmission of email.
Absent DNSSEC, the same MITM attacker may be able to forge DNS replies (if
also "on path" between the receiving SMTP server and the nameservers it
uses to resolve "10.in-addr.arpa" and "zzzbank.com.au".
On the other hand, anyone can create a message in which the above "Received:"
headers appear. What a forger can't easily do is ensure that such headers
are the topmost trace headers. When the forger transmits the message, the
nexthop receiving system will record the forger's network address as the
sending system in the topmost trace header. If that origin is not trustworthy,
then you can't believe the validity of any trace headers it sends.
--
Viktor.
