RE: about spoofed email header(Received From field)

20 Apr 2005 18:51:54 -0000 

John Andersen wrote:
> On Tuesday 19 April 2005 10:20 pm, Monty Ree wrote:
>> Hello, all.
>> 
>> I have received so lots of spam mails.
>> So I have used to see e-mail header(Received From: field) to see
>> from which IP had sent the e-mail. 
>> 
>> For example, I have received this spam mail today.
>> 
>> ######  mail header #######
>> Return-Path: <[EMAIL PROTECTED]>
>> Received: from mail.xxx.com ([211.xx.xx.xx])
>>      by tt.co.kr (8.11.6/8.11.6) with ESMTP id j3J1QsK15121
>>      for <[EMAIL PROTECTED]>; Tue, 19 Apr 2005 10:26:54 +0900

This one is probably the one added by YOUR mail server.
As such you can believe the IP address (211.xx.xx.xx) - THAT is most likely the 
spammer's IP.

>> Received: from 211.198.142.138 ([211.198.142.138])
>>      by mail.xxx.com (8.11.6/8.11.6) with SMTP id j3J1R7p12967
>>      for <[EMAIL PROTECTED]>; Tue, 19 Apr 2005 10:27:07 +0900

This one was already on the email when your mail server got it.  Don't believe 
it for a second.

>> Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700

This is just way off base.

>> Message-ID: <[EMAIL PROTECTED]>
>> 
>> 
>> and  first Received field like below...
>> 
>> Received: from 244.31.48.232 by ; Sat, 16 Apr 2005 06:23:30 -0700
>> 
>> Yes, 244.31.48.232 is not assigned, so I think that this mail header
>> is spoofed!! If then, spammer can use assigned IP too, to spoof the
>> e-mail header instead of not assigned ip. 
>> 
>> So It is no meaning to track spammer by using "Received From: "  mail
>> header field, because he can make lots of spoofed "Received From"
>> field using real IP. So, tracking spammer is impossible or hard,
>> right? 
>> 
>> Is there any good method or howto to distinguish spoofed e-mail
>> header from real e-mail header?
> 
> The first (bottom most) Received from header should never be believed.
> The top most received from usually IS reliable, (assuming you are
> running your own Mail Transfer agent (sendmail or postfix of some
> such). 

If you're running your own MTA, this will have the IP of the machine that sent 
it the mail.
 
> The ones in between have to be evaluated manually.

I usually don't bother.  The IP of the machine that talked to my machine is all 
that I usually need.

Matthew.van.Eerde (at) hbinc.com                 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com         Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

Reply via email to