On 27 Jul 2016, at 23:24, Roger Goh wrote:
Our headquarter's email server auto-forward emails over to our
email server & I have a concern:
Can source (ie smtp.zzzbank.com.au & srvm02.zzzbank.com.au below)
& the IP addresses be spoofed?
Received: from smtp.zzzbank.com.au (10.98.2.87) by
ZZZWVEXC01ZZ.bbb.com.au
(10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul
2016
17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1]) by
srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id
u6K97Jk3033821
The answer is dependent on your network architecture and what exactly
you mean by "spoofed."
Received headers can be arbitrarily forged, as are the above examples,
BUT since they are added by each MTA handling the message, forgeries are
not hard to detect because they always are below the chronologically
final Received header, added by your own MTA and presumably trustworthy
to the degree of reflecting how your MTA received the message. When a
forgery fails to get the format of a Received header correct (as above)
it is also easily detected.
If you are asking whether an SMTP session can be run over a connection
where the client side is spoofing an IP address, the *general* answer is
NO. IP address spoofing is trivial for UDP-based protocols like DNS
because UDP doesn't depend on the machines involved being able to carry
on a multi-step synchronized reliable conversation. Because SMTP runs on
top of TCP, the initial connection, before any data is exchanged,
requires a 3-packet exchange by which both ends prove that they are
receiving each others' packets correctly. many years ago, it was
possible to spoof that exchange because systems commonly used very
predictable packet sequence numbers, however that flaw was recognized
and corrected in the early 90's. It remains possible to actually hijack
an IP address by compromising the specific routers that handle the path
between the target machine and the hijacker, but that is a non-trivial
project and by its nature prevents normal communication between the
target system and the hijacking victim system (that is: the rightful
holder of the spoofed IP,) so it is hard to hide such a hijack if the
target and victim normally communicate with each other.
A special case where "spoofing" becomes easier for SMTP is when the
spoofed machine and the spoofing target communicate through a firewall
that uses a form of NAT that makes the target see all communications as
coming from an IP held by the firewall. In that case, the security and
proper configuration of the firewall and its neighboring routers is
critical.
