Re: Email VirusFrom: devil (firstname.lastname@example.org)
- Next message: Jem Berkes: "Re: lol, United Devices"
- Previous message: Marshall Lake: "Re: Email Virus"
- In reply to: Rod Smith: "Re: Email Virus"
- Next in thread: : "Re: Email Virus"
- Reply: : "Re: Email Virus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: devil <email@example.com> Date: Mon, 08 Jul 2002 03:35:25 GMT
Rod Smith wrote:
> In article <firstname.lastname@example.org>,
> Marshall Lake <email@example.com> writes:
>>>Reading headers is easy enough.
>>>You read from the bottom up.
>>>Each Received is a postmaster receiving the message with
>>>the information of who the message was relayed from with
>>>who it is to be sent to.
>>>Only the postmaster on the first hop
>>>can use the Message ID to see who realy sent the message.
>>Here are the headers from one such eamil I received. What is the
>>originating site? verizon.net ?
>>Received: from out017.verizon.net (out017pub.verizon.net [18.104.22.168])
>> by melake.erols.com (Postfix) with ESMTP id 5FED71B8CD
>> for <firstname.lastname@example.org>; Sun, 7 Jul 2002 12:42:49 -0400 (EDT)
>>Received: from Izmnsyso ([22.214.171.124]) by out017.verizon.net
>> (InterMail vM.5.01.05.05 201-253-122-126-105-20020426) with SMTP
>> id <20020707164139.HXLS21993.out017.verizon.net@Izmnsyso>
>> for <email@example.com>; Sun, 7 Jul 2002 11:41:39 -0500
> This is the first Received header. It indicates that 126.96.36.199,
> which identified itself with a fake or incomplete hostname ("Izmnsyso")
> sent the message to a computer that's identified itself in the message
> header as out017.verizon.net but didn't include an IP address. You'd
> need to use tools like host, nslookup, or whois to figure out who "owns"
> 188.8.131.52. For instance:
> $ host 184.108.40.206
> 220.127.116.11.IN-ADDR.ARPA domain name pointer pqmax-2-25.dialup.enter.net
> This seems to suggest that somebody using a dial-up account with the
> enter.net ISP is the true sender.
> One caution: Received headers can be forged. Spammers sometimes insert
> a fake Received header before (that is, later in the file) than the
> first legitimate one. This is usually easily spotted by a gap with
> other headers between Received headers. The first (that is, last in the
> file) Received header might also point to a machine under the control
> of whatever bad guy you want to avoid. As a general rule, the most
> trustworthy Received header is the last one (that is, the top one in the
> file), which usually tells you the system from which your ISP or mail
> server received the message. Anything earlier than that could
> conceivably be at least partly forged.
True. But you almost invariably can tell: something doesn't fit. At
some point upstream, some header will tell the truth and a mismatch will
Anyway, it doesn't seem to be the case here. Source is almost certainly