[K12OSN] Hi

Les Bell lesbell at lesbell.com.au
Fri Apr 9 22:36:18 UTC 2004

Petre Scheie <petre at maltzen.net> wrote:

The address could be spoofed as well obviously.

It's actually quite difficult to spoof IP addresses for TCP sessions these
days, due to the difficulty of predicting the sequence numbers that TCP
will use. You can generally depend on the IP address that appears between
the square brackets in the Received: line to be correct.

Received: from pc10 (dhcp-192-203-56.in2cable.com [])

So, reading from left to right, we have "pc10", the name the sender claimed
in the HELO exchange, "dhcp-192-203-56.in2cable.com", the name obtained by
a reverse DNS lookup, and, the IP address that was in the IP
headers. You can bet the machine belongs to a in2cable customer in India.


--- Les Bell, RHCE, CISSP

More information about the K12OSN mailing list