Can originating IP addresses be faked?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Can originating IP addresses be faked?

David Fletcher
Although I know a little bit about networking I'm not an expert and
certainly know nothing about hacking other peoples' computers. Some
people have told me that IP addresses can somehow be faked like the
jerks who make nuisance phone calls faking their number to make it
appear to be a friend, the bank, etc., calling.

Can I for example be confident that these relay attempts:-
Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
<[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<hwsrv-294731.hostwindsdns.com>
Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
<[hidden email]>: Relay access denied; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP
helo=<hwsrv-294731.hostwindsdns.com>
Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
<[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<hwsrv-294731.hostwindsdns.com>

which are a small sample from around 300 really did originate from
Hostwinds, Washington, USA?

Thanks for your advice, all.

Dave


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can originating IP addresses be faked?

Victor Sterpu
I guess it can be done with a man in the middle attack.


La 7/24/2018 3:33 PM, David Fletcher a scris:

> Although I know a little bit about networking I'm not an expert and
> certainly know nothing about hacking other peoples' computers. Some
> people have told me that IP addresses can somehow be faked like the
> jerks who make nuisance phone calls faking their number to make it
> appear to be a friend, the bank, etc., calling.
>
> Can I for example be confident that these relay attempts:-
> Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
>
> which are a small sample from around 300 really did originate from
> Hostwinds, Washington, USA?
>
> Thanks for your advice, all.
>
> Dave
>
>


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can originating IP addresses be faked?

J. L.
In reply to this post by David Fletcher
On 24.07.2018 14:33, David Fletcher wrote:

> Although I know a little bit about networking I'm not an expert and
> certainly know nothing about hacking other peoples' computers. Some
> people have told me that IP addresses can somehow be faked like the
> jerks who make nuisance phone calls faking their number to make it
> appear to be a friend, the bank, etc., calling.
>
> Can I for example be confident that these relay attempts:-
> Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
>
> which are a small sample from around 300 really did originate from
> Hostwinds, Washington, USA?
>
> Thanks for your advice, all.
>
> Dave
>
>


To give You at least some hint where to start for digging deeper:
https://en.wikipedia.org/wiki/IP_address_spoofing

Much much more can easily be found by using "ip spoofing" in the search
engine of Your liking.

To really answer Your question: YES, ip-addresses can definitely be
spoofed. Or "faked" to use Your own words ...

Hops that helps a little!

Cheers!

J. L.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can originating IP addresses be faked?

Olivier Nicole
In reply to this post by David Fletcher
David Fletcher <[hidden email]> writes:

> Although I know a little bit about networking I'm not an expert and
> certainly know nothing about hacking other peoples' computers. Some
> people have told me that IP addresses can somehow be faked like the
> jerks who make nuisance phone calls faking their number to make it
> appear to be a friend, the bank, etc., calling.

Short answer is yes, you can forge a packet with a sender IP different
from your real IP. But with some limitations:

- your ISP may block that, in fact they *SHOULD* block that and if they
  don't, you should change ISP, because blocking faked sender IP is part
  of making the net more secure;

- you will never receive a return packet, because the return packet will
  be addressed to the faked IP, not to you; that how DDoS is working:
  you use the IP of the person you want to attack as a fake sender IP,
  all the replies go to that person, if enough attackers act at the same
  time, the result can be devastating;

- in your case, it is probable that HostWing has some malware running
  and being used by miscreants;

- in the case of email, there are several things: the IP addresses, the
  address in the envelope or the mail and the address in the headers of
  the message, as said above, you cannot fake the IP, or else, there
  would be no connection to your postfix.

Best regards,

Olivier

>
> Can I for example be confident that these relay attempts:-
> Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
>
> which are a small sample from around 300 really did originate from
> Hostwinds, Washington, USA?
>
> Thanks for your advice, all.
>
> Dave

--

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can originating IP addresses be faked?

Nataraj-2
In reply to this post by David Fletcher
On 07/24/2018 05:33 AM, David Fletcher wrote:

> Although I know a little bit about networking I'm not an expert and
> certainly know nothing about hacking other peoples' computers. Some
> people have told me that IP addresses can somehow be faked like the
> jerks who make nuisance phone calls faking their number to make it
> appear to be a friend, the bank, etc., calling.
>
> Can I for example be confident that these relay attempts:-
> Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
>
> which are a small sample from around 300 really did originate from
> Hostwinds, Washington, USA?
>
> Thanks for your advice, all.
>
> Dave
>
>
While IP addresses can be spoofed, I can't say how often this happens,
and I think there is reasonably good probability that the connection
came from the host/ip address reported in your log.

Experientially, I've found it reasonable to assume that the source
IP/host is correct and I use fail2ban to block connections such as that
one when they occur repeatedly.

You could send your log entries to the abuse contact  for hostwinds and
see what they do with it.  Most responsible ISPs with investigate this
and take action against his/her users who are abusing other servers on
the internet, especially if they get more than 1 complaint.

Nataraj




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can originating IP addresses be faked?

David Fletcher
In reply to this post by David Fletcher
Thanks for all the advice.

Sounds like it's going to be either compromised computers on the ISP's
network or an ISP that doesn't care so I'm going to continue doing as I
am.

When I get spam I generally just block the entire range of addresses
which is working nicely for addresses such as 171.248.164.38 which is
somewhere in Vietnam and repeatedly gets blocked. Others are in Turkey,
Brazil and Georgia, USA.

It's a while since I last had spam from a UK address so maybe ISPs here
do care. Interestingly, all of the banking scam email I've received
lately appears to originate in the Netherlands.

Dave

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users