Re: [cobalt-security] maillog: may be forged

["Sohail A. Rahim" <snake.charmer@xxxxxxxxxxx>]

John,

not sure what the 'may be forged' bit is about.. my guess it's to do with 
dns relaying or a reply-to + headers that claim to be from somewhere other 
than the original server...

with regard to your question about how to find out whether an email is 
incoming or outgoing....

o  an incoming email will usually have two entries... one saying from... 
and the other saying to, sometimes with the ctrladdress (usually the from 
address)..
o  every email that passes through your server is given an id.. in this 
case the id is f9HELnF20704. if you look at the line, it gives you the id 
betwen the 'sendmail[xxxxx]' and 'from='

hope this helps.
Sohail.

At 22:26 17/10/2001, you wrote:
> Hi I was wondering how to read the maillog...
>
> I received this log in the maillog.
>
> Oct 17 10:21:49 ns1 sendmail[20704]: f9HELnF20704:
> from=<CGrossner@xxxxxxxxxxxxxxxxx>, size=3013, class=0, nrcpts=1,
> msgid=<E901D95A7AF2D411B85B0008C72B7D8101872F09@xxxxxxxxxxxxxxxxxxxxxxx>,
> proto=ESMTP, daemon=MTA, relay=134.22.47.tor-55.151.net [134.22.47.55]
> (may be forged)
>
> What does the "may be forged" mean exactly?  Does it flag this email
> because the from address does not share the same domain name where the
> message came from?
>
> How do you know if this was an incoming email or an outgoing one?
> Could this be spam?
>
> If anyone can help me with this probably simple question, I would
> appreciate it.
>
> Thanks in advance,
>
> John Mehan
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security


__________________________________________________

Sohail A. Rahim

www.lithiumrain.com