Chris-Linfoot.net

Received: from [217.207.168.90] ([217.207.168.90])
by mydominohost (Lotus Domino Release 6.5.1)
with ESMTP id 2004032516203819-280 ;
Thu, 25 Mar 2004 16:20:38 +0000
From: spoofed_sender
To: luckless_victim
Subject: Re: Message
Date: Thu, 25 Mar 2004 16:19:42 +0000
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"

As you probably know, Domino records the EHLO phrase in its received header. On the subject of EHLO, RFC2821 says:

3.6 Domains
...
The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1.

4.1.3 Address Literals

... a special literal form of the address is allowed as an alternative to a domain name. For IPv4 addresses, this form uses four small decimal integers separated by dots and enclosed by brackets such as [123.255.37.2], which indicates an (IPv4) Internet Address in sequence-of-octets form.

In my experience, well behaved sites EHLO with a valid primary host name. Most others just use either a host name which does not resolve or else an IP address with no square brackets. I don't think I have ever seen an example of an email where a remote sender has actually used address literal notation in EHLO before -- and this from a virus too!

Just to spoil it of course, the IP in question is static and has correct forward and reverse DNS so should have EHLOed with its name. But still, the virus at least tried to play by the rules...

Category: Viruses and Worms
Technorati: Viruses and Worms

Unable to post a comment? Please read this for a possible explanation...