First, the Received: fields contain domain names and IP addresses that depend only on envelopes and connecting IP addresses. You should rely on those that came from nodes you control or trust; anything beyond that is suspect.
There are various authentication protocols, e.g., SPF (acronym overload), but those are only as good as thercertificate owner. That is, you can check with the CA that foo owns bar, but not whether foo is a criminal or legitimate. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Bob Bridges <[email protected]> Sent: Tuesday, September 22, 2020 10:27 AM To: [email protected] Subject: Re: Caution: "Hacked" email caused the distribution of a potentially harmful attachment I'm pretty sure that in the bad old days, even the headers could not accurately reflect the sender. You could tell what ~server~ the email came from, but the email address depended entirely on the From label that every email client attaches manually, and which isn't necessarily truthful. I put this in the past tense not because I believe it's no longer true, but because it ~might~ no longer be true. I know a lot of the major domains are adding various headers that purport to guarantee at least that the email came from a subscriber at the originating domain. I don't know how advanced those headers are these days. But until Chris posted the below, I would have said you still can't be sure of the sender's email address by looking at the headers. The headers that came with Chris' email, by the way, are much longer than I'm used to seeing. Is this normal, these days, or is it a feature of IBM-MAIN? I think what I'm seeing is a series of authentication methods as it's passed from one server to the next along what I think is called the "backbone": ARC, IronPort, and something called TMASE. (I hope this doesn't break the LISTSERV's filters.) Delivered-To: [email protected] Received: by 2002:adf:f447:0:0:0:0:0 with SMTP id f7csp3851648wrp; Mon, 21 Sep 2020 19:18:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZYVYvh3cQWqrXkErWaQ9fj0W+BvZi9Nn3OIAhxJo/3CruwF8hoeAX5Oz2VcYZ5dXeWd3e X-Received: by 2002:a25:4dc3:: with SMTP id a186mr3921730ybb.250.1600741122602; Mon, 21 Sep 2020 19:18:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600741122; cv=none; d=google.com; s=arc-20160816; b=B58897TXTtvQJ7t1gnHyrcV+cq3LL+jDEM9oArNxwngd5gxmJmVU8iQWMRfzwzIErF 171T/6dYrx3amczVIU4+RYVmvhPiw4ciJWp6wEkjj4Crj2Idy3h02jmoPxSI6bfpfSYx FqaUjP7LwKQ/2TClTi+oAhk19o5H/73ukJTA5+mhsv9CBSm/9aAimG18O14JDpzlgKJO CZwngYjwGO/+cJ8VP1MfmKYwOC+Gk1v7+iJLbovbbXQB5yF5tziBBYUjFm2ZJcNDe6zR gPstA7GqeqHoI7Q/YvKuVuDqWI45gSXg1uBZwik+4sYFnPucdPQ9J9gAOZ7Q4+7l7syN 2g6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-archive:list-owner:list-subscribe:list-unsubscribe:list-help :precedence:in-reply-to:to:subject:organization:from:sender:reply-to :date:newsgroups:message-id:content-language :content-transfer-encoding:mime-version:user-agent:references :ironport-phdr:dkim-signature; bh=xak+K7z8G4pm5Gldpny1Rz595iMZvkPotRV2fRPSWh4=; b=N/3iP2pjAMuhJ3ys6eeEachah/tZmrbzUtQlSghrMQ0SAMkmGZruV01BUBVJhJwK/1 Q38yPpfJg+QbzHYPu080i4V4MZNYOWPjTNwZJ/f4rGo+HwGPrRzPY5ZBJ6GnYkgIgCx1 zYENntXTcedNtOC3TS57zGYck/l4DmaNoHpmfyMSdfIyOx3ian0dIC5f7ny1b14ZC6Eg 9fp07gi9ViNNgy5wyNC+KpxHpsK3m2SU1E8dEfDYBIaHLZZERwcy0fjM9mfyVCf61M8a FsFvsqFOLvmk1W4aYLnXxwMC3Uo7oyUNythENV/zL7mweFg5njPKOeHNOXA3+H5PlSHJ j6rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) [email protected] header.s=LISTSERV01 header.b=hoKgtLn3; spf=pass (google.com: domain of [email protected] designates 130.160.0.25 as permitted sender) [email protected] Return-Path: <[email protected]> Received: from lsvmail01.ua.edu (lsvmail01.ua.edu. [130.160.0.25]) by mx.google.com with ESMTPS id m18si15161936ybp.129.2020.09.21.19.18.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Sep 2020 19:18:42 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 130.160.0.25 as permitted sender) client-ip=130.160.0.25; Authentication-Results: mx.google.com; dkim=pass (test mode) [email protected] header.s=LISTSERV01 header.b=hoKgtLn3; spf=pass (google.com: domain of [email protected] designates 130.160.0.25 as permitted sender) [email protected] Received: from listserv01.ua.edu (listserv01.ua.edu [10.8.81.163]) by lsvmail01.ua.edu (Postfix) with ESMTP id 9EF7C2695E9; Mon, 21 Sep 2020 21:18:24 -0500 (CDT) Received: from listserv01 (localhost [127.0.0.1]) by listserv01.ua.edu (Postfix) with ESMTP id 3FD8C270077; Mon, 21 Sep 2020 21:18:24 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; d=UA.EDU; s=LISTSERV01; c=relaxed/relaxed; bh=xak+K7z8G4pm5Gldpny1Rz595iMZvkPotRV2fRPSWh4=; [email protected]; h=Received-SPF:IronPort-PHdr:References:User-Agent:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-Language:Message-ID:Newsgroups:Date:Reply-To:Sender:From:Organization:Subject:To:In-Reply-To:List-Help:List-Unsubscribe:List-Subscribe:List-Owner:List-Archive; b=hoKgtLn3w9W92V9bTKa6UNpuoBFZaitRofoSTpcb5pG+uPHaMDDYxt46yDCJr8Me9e6ms8Y4R46rar4HfwNPpwpnD1Dnb66cHye0twKDs517DlVZ8XKV5WnVD/FFabttLyA53JxrBDRLngQ9zjpwU9rmFtm25ltySVYKYz8yJsA= Received: by LISTSERV.UA.EDU (LISTSERV-TCP/IP release 16.0) with spool id 29526 for [email protected]; Mon, 21 Sep 2020 21:18:24 -0500 Received: from mailapp-atl-2.ua.edu (mailapp-atl-2.ua.edu [130.160.2.39]) by listserv01.ua.edu (Postfix) with ESMTP id 1512D270076 for <[email protected]>; Mon, 21 Sep 2020 21:18:24 -0500 (CDT) Received-SPF: None (mailapp-atl-2.ua.edu: no sender authenticity information available from domain of [email protected]) identity=mailfrom; client-ip=62.128.193.156; receiver=mailapp-atl-2.ua.edu; envelope-from="[email protected]"; x-sender="[email protected]"; x-conformance=spf_only IronPort-PHdr: =?us-ascii?q?9a23=3ApBvDPBU4N90XryKbugu8DpDbOVDV8LGuZFw894?= =?us-ascii?q?YnhrRSc6+q45XlOgnl6O5wiEPSAtmJ7vtFj+POq+XpRWhFu9CcuTYPfIEfHw?= =?us-ascii?q?Qdh5AwmAotSNWAFVW9KffrayIgG8EXTFhj9Hy/PFR9HMHxZlbTpGG/4iQbBh?= =?us-ascii?q?T4M0x+IeGsQNzogs+61v6/99joWysT3mbvR7R0IV32qAzQssAOmc5rNqJ0kF?= =?us-ascii?q?3Uqz1Fd/kEjWVvbUmemRrx/I+54YJj/iJMuvkg698lM+2yfqI2SqZdBSgnNG?= =?us-ascii?q?Z97dPitB3KRw+CrnUGVWBenh1NCgnDpBb0O/W5+jP9sOFw3CSGFcnxQrE/WD?= =?us-ascii?q?K+4qhxQQPpjyFBPDk8sSnWhsF2kKNHsUekrh17zZTTZdLwVrI2dafccNUGAG?= =?us-ascii?q?tZC5gLEXUbUsXlPtBJVrdfbq5CooLwpkUDt067DAioDfv3jzZUgjqsm7Azle?= =?us-ascii?q?ktDFKjvkRoEtQQvXDTtNiwOr0VVLX/1K7OxjjHYu9+3TDy6YPJdAwsruuFQb?= =?us-ascii?q?N3d4zazkxlRGanxh2A7JfoOT+YzLFHq2+d5OdkWP6Hj2koqgpwpCSiyd0llo?= =?us-ascii?q?jOgMQezVWOpkAbiM4lYNa/TkB8e9utFpBd4jqCObxxRMczGjA6iGMB0rQD/K?= =?us-ascii?q?WDUm0PwZUjyQTYbqbdIYyP7RPoVeCNLDhijW5kf7T5jBG3oxCt?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BhAACEXmlfh5zBgD5cAw4NAQEBAQE?= =?us-ascii?q?BAQEFAQEBEgEBAQMDAQEBQIFPgiN3VwEhBAssCoQwkUOBAokMkCiBYBQBAQE?= =?us-ascii?q?BAQEKAQEYCwoCBAEBhngCIjoTAhABAQEEAQEBAgEDAwMBFAEBAQoLCQgphTY?= =?us-ascii?q?BAQQBASUMhXIBAQEBAwEBIQ8BITEECxUBAgICCBEKAwICISURBg0GAgEBgyI?= =?us-ascii?q?BgksDMgEKtHx2gTKFQRKCYg2CHgaBDiqNLBuCAIERJw+Bbjc1PoIaQgQXgRE?= =?us-ascii?q?BCggBaIJQgmAEj3AZBJMTkz1RgnGDEZFJaoIegl4FCh6DDDiOUCmORIVgmma?= =?us-ascii?q?HAosvAgQLAhQBgWuBCnBNNAQ7gV6BC1AXAg1WhD6GEoFngR4XFIgThT8/QQE?= =?us-ascii?q?xCi0CBgEJAQEDCXyLLoEkATFfAQE?= X-IPAS-Result: =?us-ascii?q?A0BhAACEXmlfh5zBgD5cAw4NAQEBAQEBAQEFAQEBEgEBA?= =?us-ascii?q?QMDAQEBQIFPgiN3VwEhBAssCoQwkUOBAokMkCiBYBQBAQEBAQEKAQEYCwoCB?= =?us-ascii?q?AEBhngCIjoTAhABAQEEAQEBAgEDAwMBFAEBAQoLCQgphTYBAQQBASUMhXIBA?= =?us-ascii?q?QEBAwEBIQ8BITEECxUBAgICCBEKAwICISURBg0GAgEBgyIBgksDMgEKtHx2g?= =?us-ascii?q?TKFQRKCYg2CHgaBDiqNLBuCAIERJw+Bbjc1PoIaQgQXgREBCggBaIJQgmAEj?= =?us-ascii?q?3AZBJMTkz1RgnGDEZFJaoIegl4FCh6DDDiOUCmORIVgmmaHAosvAgQLAhQBg?= =?us-ascii?q?WuBCnBNNAQ7gV6BC1AXAg1WhD6GEoFngR4XFIgThT8/QQExCi0CBgEJAQEDC?= =?us-ascii?q?XyLLoEkATFfAQE?= X-IronPort-AV: E=Sophos;i="5.77,288,1596517200"; d="scan'208";a="39371487" X-UA-IP-Dir: i X-UA-External: other Received: from mta6.iomartmail.com ([62.128.193.156]) by mailapp-atl-2.ua.edu with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Sep 2020 21:18:23 -0500 Received: from vs1.iomartmail.com (vs1.iomartmail.com [10.12.10.121]) by mta6.iomartmail.com (8.14.4/8.14.4) with ESMTP id 08M2ILnW012652 for <[email protected]>; Tue, 22 Sep 2020 03:18:21 +0100 Received: from vs1.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D20C12203B for <[email protected]>; Tue, 22 Sep 2020 03:18:20 +0100 (BST) Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs1.iomartmail.com (Postfix) with ESMTPS id BCE092203A for <[email protected]>; Tue, 22 Sep 2020 03:18:20 +0100 (BST) Received: from [192.168.1.3] (li18b4b4blu3ltd.plus.com [84.92.86.146]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.4/8.14.4) with ESMTP id 08M2IFWX028424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <[email protected]>; Tue, 22 Sep 2020 03:18:19 +0100 References: <dm6pr01mb39622e311cb146d8b4cc2e4abf...@dm6pr01mb3962.prod.exchangelabs.com> <[email protected]> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-GB X-Originating-IP: 84.92.86.146 X-Thinkmail-Auth: [email protected] X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.0.0.1623-8.2.0.1013-25680.004 X-TM-AS-Result: No--22.480-10.0-31-10 X-imss-scan-details: No--22.480-10.0-31-10 X-TMASE-Version: IMSVA-9.0.0.1623-8.2.1013-25680.004 X-TMASE-Result: 10--22.480500-10.000000 X-TMASE-MatchedRID: 8HTFlOrbAtEskSgQseCioZU7Bltw5qVLoIcZ8kDSGx3c9KE2iwgwHpxe m/bPuNbl5MWo5eRkVhST4r6vLqe1XqcixCHFzaYdLjsmuOashGJMkOX0UoduuRFuGoR26L1w7yR 70UzaHOHVsXfkupVIqZhl+M5E4O1lSnnHALWebCZyFiJvyj8nUDAuMzu3eJGjgs0XGsRxKVpnZH oNDMN+oVF0Dz6CWocg2tLLi+OcCOYCWAJNioDShZ10bFzFUNG3GZZmA+NDs0S4FVzIwTbgVTgK6 rBjXxyiddcraUg4/ZRb1xSh2RN51l+2VnQAa92VN19PjPJahlIrU8f3oY88YFnFZNfj6Xm2IZRv Yk3GLWpNYvDaO9t+nGBJNb89mNwBtSzbDslijNQvXATUpYL2KqwfObg093Ck36BFvDcr529Kb8b IfVVvJXl14nsx4+p94urrazonbjxkJbwDA0WnIqo2fOuRT7aa8JzVOUQUG5x0rxNYA09+9rjpnb R8WdwbBjd6/dITuSv10LK3PDYSThha18eHngtzSMFvyr5L84J4Nw4JZFjB6RRnkhLZOCK9FAcpy p5sxOaPZ2BdfONa6cJXOW472UCp8SVv8xCiJrPBFOikWBnGHVG+BHSGRsbg85b+xRMFjssfwxRH /2+eRzcyqkpVb+feOzL9BDvV9Gcgd9to5LaUUGKybY4NKiA1Dm+4joeL+f2Qx0NjGmV8+E8e8uK rAhcoWr087TojJhPbcv/tJBGjYlJAAk7j9W+Xc/m/9PIvpoqnZS/aYgjrzjcQcUZK1ILgfeRHqX TAYgaKdG9jQTUwt3lz13GxNMIPHvm/yqC0xZmeAiCmPx4NwFkMvWAuahr8ooPRqITj5zirusVRy 4an8SAHAopEd76vDiw+z6Jcs5PQksiHxkt+OHPYv6H4I4EiOiaJdeKshjWHJ4eiBgCSqQ== X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Message-ID: <[email protected]> Newsgroups: bit.listserv.ibm-main Date: Tue, 22 Sep 2020 03:18:45 +0100 Reply-To: IBM Mainframe Discussion List <[email protected]> Sender: IBM Mainframe Discussion List <[email protected]> From: CM Poncelet <[email protected]> Organization: L! Logic Integration Subject: Re: Caution: "Hacked" email caused the distribution of a potentially harmful attachment To: [email protected] In-Reply-To: <[email protected]> Precedence: list List-Help: <http://secure-web.cisco.com/17E46BTDFVFBx7JAJA9TmK8Z2-1_zRJjWsNx8q3P_Vgn0NdpHgGvUIZhzmMAL_xS5ZZ4qndVQlE1lXoRRxRUqN95NHi9FWVrO-xI4S5KIBRob8xXQ7q1w9D4L6VctghwHljoEZOak7PTbsOso5RBKPlXVQSUG6iK8OP3_MfhL5dhKKdMkuK-ryV5tn4Juyfz0iujd5aESpHbuGVe9qTm7DerUJxh9XktGy8bAh1rYgKSfdebN0NctlfkQAgeeIMXAgLVNhSoeyYHOQyDrQVmb73-OPGQ-xqTj30Gf8nHfuRUeLRw1IXQT70oSagG7RUrPEaTaE22U2TKIMNDJcVT1VRWfpgFkQ6LwT95fqWetZb7rC-znFyQrniJyMy3tPy75MlWOULV5fo5FSHOC_p5bQEbjrUoAe6LaqryR-kmx5oTXF5jNV36B39EHsO31Y1VX/http%3A%2F%2Flistserv.ua.edu%2Fcgi-bin%2Fwa%3FLIST%3DIBM-MAIN>, <mailto:[email protected]?body=INFO%20IBM-MAIN> List-Unsubscribe: <mailto:[email protected]> List-Subscribe: <mailto:[email protected]> List-Owner: <mailto:[email protected]> List-Archive: <http://secure-web.cisco.com/17E46BTDFVFBx7JAJA9TmK8Z2-1_zRJjWsNx8q3P_Vgn0NdpHgGvUIZhzmMAL_xS5ZZ4qndVQlE1lXoRRxRUqN95NHi9FWVrO-xI4S5KIBRob8xXQ7q1w9D4L6VctghwHljoEZOak7PTbsOso5RBKPlXVQSUG6iK8OP3_MfhL5dhKKdMkuK-ryV5tn4Juyfz0iujd5aESpHbuGVe9qTm7DerUJxh9XktGy8bAh1rYgKSfdebN0NctlfkQAgeeIMXAgLVNhSoeyYHOQyDrQVmb73-OPGQ-xqTj30Gf8nHfuRUeLRw1IXQT70oSagG7RUrPEaTaE22U2TKIMNDJcVT1VRWfpgFkQ6LwT95fqWetZb7rC-znFyQrniJyMy3tPy75MlWOULV5fo5FSHOC_p5bQEbjrUoAe6LaqryR-kmx5oTXF5jNV36B39EHsO31Y1VX/http%3A%2F%2Flistserv.ua.edu%2Fcgi-bin%2Fwa%3FLIST%3DIBM-MAIN> --- Bob Bridges, [email protected], cell 336 382-7313 /* Marriage is an act of will, divorce an act of won't. -screenwriter Josh Greenfeld */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of CM Poncelet Sent: Monday, September 21, 2020 22:19 (a) Begin by assuming that *all* received emails are spam/scam (and define this as the bottom line catch-all message filter) *unless* a higher up message filter recognizes both the sender(s)'s and the 'to' recipient's addresses as valid. (b) The sender's original email address can be found towards the end in the message headers, as in the "received from ... for ..." message header line. (c) Spam/scam emails can be sent to https://www.spamcop.net/mcgi?action=loginform for verification, if need be. The 'trick' to get around spammers/scammers is to use message filters, with the bottom line catch-all filter saying something like "if the subject does not contain <whatever random alphanumeric characters> *and* the sender is not <whatever more random chars>@<whatever else> then save the email in the trash/delete folder" - which then ensures that the email is never saved in the "Inbox" folder. A more skilful 'trick' is to have many different email IDs and give out a different email ID to every company, individual etc. (and keep a record of which email ID was given to whom) - so that, if a spammer or scammer gets hold of it, it can be deleted and a replacement new email ID can be created ... and then also determine from whom the spammer/scammer harvested the old and now deleted email ID. That kills off spammers and scammers, because any further emails sent to the old email ID just bounce as "undeliverable" and they cannot guess what the new email ID is. But that requires owning one or more domain names and being able to create/delete email IDs associated with it/them. (I have/use more than 200 email IDs across more than 30 domain names.) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
