Re: any known users of NetRange 172.16.0.0 - 172.31.255.255
On Friday, 2002-09-27 at 03:14 GMT, "E.B. Dreger" <eddy+public+spam@noc.everquick.net> wrote:
It's difficult for TCP to work when there's no return path, unless one has highly-predictable ISNs. Chances are it's "inside" the network.
Perhaps you missed the point where the original problem was with an email address: " I have this very odd email address found with one of our employees.... <hidden_user@172.17.0.1>" Email addresses, in fact everything in rfc822 headers, are unrelated to tcp connectivity issues. If the employee got the email I'm willing to assume there was connectivity. If you wish, I can describe exactly how such an address could be in the rfc822 From header of a message that could be delivered to you - even if 172.17.0.1 is the address of the originating device and you have no way of reaching that address. Tony Rall
TR> Date: Thu, 26 Sep 2002 20:31:00 -0700 TR> From: Tony Rall TR> Perhaps you missed the point where the original problem was TR> with an email address: Indeed I did. Note to self: Parse properly before posting to NANOG. [Hopefully] on-topic response to OP after rereading: No, there is no tracking who uses RFC1918 space. Beyond that, it gets into SMTP header discussions, and I'll not be the one to start that thread. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Depending on the content of the headers, this address can be "injected" into the flow of the email. This is very easy to do. The important thing to look at regarding the headers from such an email are the last few transactions I would suspect that the first few lines read IPs that are familiar to you, that is your smtp server handling an email from some foriegn source, than past that another foriegn source IP. The begining IP address (this 172.17.x.x) probably starts the whole thing out and has actually been forged or placed there from some virtual lan that NATs out to its internet provider. Remember that reading the headers is a bit backwards. The top is the latest, while the headers close to the Subject or From To lines are the origin. Hope this offers some insite. -Joe
participants (3)
-
E.B. Dreger
-
Joe
-
Tony Rall