Can originating IP addresses be faked?

Nataraj incoming-ubuntu at rjl.com
Fri Jul 27 07:54:07 UTC 2018 

On 07/24/2018 05:33 AM, David Fletcher wrote:
> Although I know a little bit about networking I'm not an expert and
> certainly know nothing about hacking other peoples' computers. Some
> people have told me that IP addresses can somehow be faked like the
> jerks who make nuisance phone calls faking their number to make it
> appear to be a friend, the bank, etc., calling.
>
> Can I for example be confident that these relay attempts:-
> Jul 24 11:31:57 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <1029mandaditos at gmail.com>: Relay access denied;
> from=<killer at virginm.net> to=<1029mandaditos at gmail.com> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:58 ServerIII postfix/smtpd[22738]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <1029mandaditos at gmail.com>: Relay access denied; from=<love at virginm.net>
> to=<1029mandaditos at gmail.com> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
> Jul 24 11:31:59 ServerIII postfix/smtpd[22736]: NOQUEUE: reject: RCPT
> from hwsrv-294731.hostwindsdns.com[142.11.195.132]: 454 4.7.1
> <1029mandaditos at gmail.com>: Relay access denied;
> from=<sunshine at virginm.net> to=<1029mandaditos at gmail.com> proto=ESMTP
> helo=<hwsrv-294731.hostwindsdns.com>
>
> which are a small sample from around 300 really did originate from
> Hostwinds, Washington, USA?
>
> Thanks for your advice, all.
>
> Dave
>
>
While IP addresses can be spoofed, I can't say how often this happens,
and I think there is reasonably good probability that the connection
came from the host/ip address reported in your log.

Experientially, I've found it reasonable to assume that the source
IP/host is correct and I use fail2ban to block connections such as that
one when they occur repeatedly.

You could send your log entries to the abuse contact  for hostwinds and
see what they do with it.  Most responsible ISPs with investigate this
and take action against his/her users who are abusing other servers on
the internet, especially if they get more than 1 complaint.

Nataraj

More information about the ubuntu-users mailing list