e-mail spoofing.....

i received an e-mail from an old classmate i don't know how he did it but he spoofed the sending e-mail to be 10. address. how was it done any hints because i can't find any way to spoof any other header than date, time, name, and from. any help would be appreciated headers are below

Delivered-To: @gmail.com Received: by 10.114.146.7 with SMTP id t7cs524427wad; Wed, 2 Dec 2009 12:27:06 -0800 (PST) Return-Path: <@gmail.com> Received-SPF: pass (google.com: domain of @gmail.com designates 10.231.166.12 as permitted sender) client-ip=10.231.166.12; Authentication-Results: mr.google.com; spf=pass (google.com: domain of *************@gmail.com designates 10.231.166.12 as permitted sender) smtp.mail=@gmail.com; dkim=pass header.i=@gmail.com Received: from mr.google.com ([10.231.166.12]) by 10.231.166.12 with SMTP id k12mr977000iby.48.1259785624171 (num_hops = 1); Wed, 02 Dec 2009 12:27:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=P52HAoMOYDkWapZVP+Fp4NA3J9JejsgFW7iLpSKrAaw=; b=BLvXopi+tJheTErg2rbFneamWv/HJ2r4x7wF3eJtMqVkey2hQvvhCF5v457vo43Cm/ juzRaJ0DQqexQ2r8kC5b8OjBNhd5QZ8VYMJ+99Ny8oBdlXBPhADKKDvqw3ECUZ3Ju7E/ hGlUj+6RkFwXzJEQ6yFb3itHTkwMlGFiHh/G0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=NHw2SpYAcXvER9vmAlPYq4w3hukrlMPaFx9kQzsUiJ2LQ1fOMglmlJbWfxnlob+jGR 8SH53Z2ChmqKLKUzx9aF0EmEfIWpzCmyjlSSkT3MrYfNSv9+FoN2W6+vDRcFioBCqn9J Kvjt535uU17O4W3GbG80xpOCnUaQOyA4B3JUs= MIME-Version: 1.0 Received: by 10.231.166.12 with SMTP id k12mr977000iby.48.1259785624164; Wed, 02 Dec 2009 12:27:04 -0800 (PST) In-Reply-To: <36c6f6360611091102x401d12b7p1b11e2ef40c8bbd9@mail.gmail.com> References: <36c6f6360610291611o161bb1a0n3638e5c5b543f119@mail.gmail.com> <36c6f6360610300913l666d2861ie1ebc2d4d6c8cf50@mail.gmail.com> <36c6f6360610301032q7bf52650x29183337f3192631@mail.gmail.com> <36c6f6360611091102x401d12b7p1b11e2ef40c8bbd9@mail.gmail.com> Date: Wed, 2 Dec 2009 13:27:04 -0700 Message-ID: <8196d9d10912021227n1aa4b05av58a91a36f1c63b0@mail.gmail.com> Subject: Re: From: <********@gmail.com> To: <@gmail.com> Content-Type: multipart/alternative; boundary=001636c923929f1aee0479c4b214

314 wrote: i received an e-mail from an old classmate i don't know how he did it but he spoofed the sending e-mail to be 10. address. how was it done any hints because i can't find any way to spoof any other header than date, time, name, and from. any help would be appreciated headers are below

He spoofed the sending email to be 10…?

wolfmankurd wrote: [quote]314 wrote: i received an e-mail from an old classmate i don't know how he did it but he spoofed the sending e-mail to be 10. address. how was it done any hints because i can't find any way to spoof any other header than date, time, name, and from. any help would be appreciated headers are below

He spoofed the sending email to be 10…?[/quote]

I believe he is refering to the IP of the client. It starts with a 10.*****

I haven't had much experience in email spoofing but my guess is he might have used putty with a proxy.

I'm not a routing expert, but to me it doesn't seemed spoofed at all. 10.0.0.0 is a reserved address block for private networks (ie: LAN's). Some email clients send the email to the exchange server with the address as the address they were given by the router. Since the machine has no clue what it's external IP is, it simply has to use the IP it was assigned (which happens to it's the internal IP). You can configure your mail client to send different addresses or even hostnames, if I remember correctly.

So, to me, this isn't any spoofing attempt or someone trying to hide themselves, just someone with a unconfigured mail client.

Hope that helps :)

stealth- wrote: I'm not a routing expert, but to me it doesn't seemed spoofed at all. 10.0.0.0 is a reserved address block for private networks (ie: LAN's). Some email clients send the email to the exchange server with the address as the address they were given by the router. Since the machine has no clue what it's external IP is, it simply has to use the IP it was assigned (which happens to it's the internal IP). You can configure your mail client to send different addresses or even hostnames, if I remember correctly.

So, to me, this isn't any spoofing attempt or someone trying to hide themselves, just someone with a unconfigured mail client.

Hope that helps :)

Lmao.

wolfmankurd wrote: [quote]stealth- wrote: I'm not a routing expert, but to me it doesn't seemed spoofed at all. 10.0.0.0 is a reserved address block for private networks (ie: LAN's). Some email clients send the email to the exchange server with the address as the address they were given by the router. Since the machine has no clue what it's external IP is, it simply has to use the IP it was assigned (which happens to it's the internal IP). You can configure your mail client to send different addresses or even hostnames, if I remember correctly.

So, to me, this isn't any spoofing attempt or someone trying to hide themselves, just someone with a unconfigured mail client.

Hope that helps :)

Lmao.[/quote]

I'm sorry? What's funny?

That there was no spoofing. And this guy has been racking his brains over it.

wolfmankurd wrote: That there was no spoofing. And this guy has been racking his brains over it.

Oh I see. Lol, thought I had said something really stupid in my earlier post for a moment :P