Re: Spam and mail readers (part 2).

Fri, 22 Jun 2001 15:42:50 -0700 

Thomas,

If you're trying to detect which *local* device is generating specific SMTP messages,
you can attach a packet sniffer to the LAN(s) you suspect these messages originate
from.  You can then tell your packet filter to log only SMTP messages.

Note that in a switched environment, you'll need to set up the packet sniffer(s) switch
port(s) to monitor all the switch ports for the given LAN(s).

Once you've collected data, you can search for the SMTP messages (spam, maybe?).  Once
you've found what you're looking for, identify the MAC address from the frame header.

Data-Link frame headers (with physical address information) are not forwarded from
non-local sites, hence SMTP messages which originate from beyond a router will not
contain physical address information.

Please see http://www.piclist.com/techref/osilayers.htm for more information on this
penomenon.

HTHAL,
Richard

Bill Royds wrote:

> That would be impossible. SMTP mail doesn't contain that information.
> It often contains the IP address of sender. Check in the earliest Received: header.
> But this is often obliterated by firewalls.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Thomas Sjogren
> Sent: Tuesday, June 19, 2001 03:32
> To: [EMAIL PROTECTED]
> Subject: Spam and mail readers (part 2).
>
> Is there a mail reader that makes it possible
> to see the physical address of the sender?
> i don�t mean the sender�s home address and
> phone number, but the network card address.
>
> /Thomas
>
> security analyst   |   northernsecurity.net
> +46 (0) 739 76 23 06   |   0xAADE91FC
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls

--
Richard Warwick
mailto:[EMAIL PROTECTED]
HTTP://www.RichardWarwick.Org


_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to