Can originating IP addresses be faked?

Olivier Olivier.Nicole at cs.ait.ac.th
Wed Jul 25 03:21:31 UTC 2018 

David Fletcher <dave at thefletchers.net> writes:

> Although I know a little bit about networking I'm not an expert and
> certainly know nothing about hacking other peoples' computers. Some
> people have told me that IP addresses can somehow be faked like the
> jerks who make nuisance phone calls faking their number to make it
> appear to be a friend, the bank, etc., calling.

Short answer is yes, you can forge a packet with a sender IP different
from your real IP. But with some limitations:

- your ISP may block that, in fact they *SHOULD* block that and if they
  don't, you should change ISP, because blocking faked sender IP is part
  of making the net more secure;

- you will never receive a return packet, because the return packet will
  be addressed to the faked IP, not to you; that how DDoS is working:
  you use the IP of the person you want to attack as a fake sender IP,
  all the replies go to that person, if enough attackers act at the same
  time, the result can be devastating;

- in your case, it is probable that HostWing has some malware running
  and being used by miscreants;

- in the case of email, there are several things: the IP addresses, the
  address in the envelope or the mail and the address in the headers of
  the message, as said above, you cannot fake the IP, or else, there
  would be no connection to your postfix.

Best regards,

Olivier

>
> Can I for example be confident that these relay attempts:-
> Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <1029mandaditos at gmail.com>: Relay access denied;
> from=<killer at virginm.net> to=<1029mandaditos at gmail.com> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <1029mandaditos at gmail.com>: Relay access denied; from=<love at virginm.net>
> to=<1029mandaditos at gmail.com> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <1029mandaditos at gmail.com>: Relay access denied;
> from=<sunshine at virginm.net> to=<1029mandaditos at gmail.com> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
>
> which are a small sample from around 300 really did originate from
> Hostwinds, Washington, USA?
>
> Thanks for your advice, all.
>
> Dave

--

More information about the ubuntu-users mailing list