|
|
|
|
08-09-2004, 09:17 AM
|
#1 |
Re: fake email
Wary <> wrote:
> It is possible to fake the header of an email to make it look as if some one > else sent it. Is it possible to do this in such a way that any reply is sent > to the actual sender rather than the person it appears to be from? Is there > any way to detect if this has been done? Yes. Yes. Yes. Frank Slootweg |
|
|
|
08-09-2004, 10:11 AM
|
#2 |
|
Posts: n/a
|
fake email
It is possible to fake the header of an email to make it look as if some one
else sent it. Is it possible to do this in such a way that any reply is sent to the actual sender rather than the person it appears to be from? Is there any way to detect if this has been done? Wary |
|
|
|
08-09-2004, 10:35 AM
|
#3 |
|
Posts: n/a
|
Re: fake email
Wary <> wrote:
> "Frank Slootweg" <> wrote in message > news:4117331d$0$18088$... > > Wary <> wrote: > > > It is possible to fake the header of an email to make it look as > > > if some one else sent it. Is it possible to do this in such a way > > > that any reply is sent to the actual sender rather than the person > > > it appears to be from? Is there any way to detect if this has > > > been done? > > > > Yes. Yes. Yes. > > How do I detect if this has been done? By verifying the validity of all headers. In very simple cases, the Reply-To: or Return-Path: or other lines like Sender: will give it away. In more 'sophisticated' cases, there will be clues in the Received: lines. Basically, in email, like in News/Usenet, there *is* no 'security'. Everything can be forged and often is. If you want to learn more, then browse the email groups and their FAQs, for example news.admin.net-abuse.email. Frank Slootweg |
|
|
|
08-09-2004, 10:51 AM
|
#4 |
|
Posts: n/a
|
Re: fake email
"Wary" <> wrote:
> How do I detect if this has been done? Check the header generated by your mailserver on delivery (the line saying where he received the mail from) to see if it matches the rest of the headers (coming from the same ISP, for example). Everything else can be faked, and there's no way to tell if it is. Juergen Nieveler -- Mary had a little lamb - she hates beef or ham Juergen Nieveler |
|
|
|
08-09-2004, 11:15 AM
|
#5 |
|
Posts: n/a
|
Re: fake email
"Frank Slootweg" <> wrote in message
news:4117331d$0$18088$... > Wary <> wrote: > > It is possible to fake the header of an email to make it look as if some one > > else sent it. Is it possible to do this in such a way that any reply is sent > > to the actual sender rather than the person it appears to be from? Is there > > any way to detect if this has been done? > > Yes. Yes. Yes. How do I detect if this has been done? Wary |
|
|
|
08-10-2004, 11:37 AM
|
#6 |
|
Posts: n/a
|
Re: fake email
"Juergen Nieveler" <> wrote in message
news:. .. > "Wary" <> wrote: > > > How do I detect if this has been done? > > Check the header generated by your mailserver on delivery (the line > saying where he received the mail from) to see if it matches the rest > of the headers (coming from the same ISP, for example). > > Everything else can be faked, and there's no way to tell if it is. > Does this extract from a SpamCop report show the headar is a fake? Parsing header: Received: from f6.mail.ru ([194.67.57.36]) by mta07-svc.ntlworld.com (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id <20040806123006.RYVN15997.mta07-> for <x>; Fri, 6 Aug 2004 13:30:06 +0100 194.67.57.36 found host 194.67.57.36 = f6.mail.ru (cached) host f6.mail.ru (checking ip) = 194.67.57.36 Possible spammer: 194.67.57.36 Received line accepted Relay trusted (194.67.57.36) Received: from mail by f6.mail.ru with local id 1Bt3qz-000OLg-00 for x; Fri, 06 Aug 2004 16:29:45 +0400 Ignored Received: from [62.254.161.34] by win.mail.ru with HTTP; Fri, 06 Aug 2004 16:29:45 +0400 no from 62.254.161.34 found host 62.254.161.34 (getting name) no name Possible spammer: 62.254.161.34 Possible relay: 194.67.57.36 194.67.57.36 not listed in relays.ordb.org. 194.67.57.36 has already been sent to relay testers Received line accepted Wary |
|
|
|
08-10-2004, 01:39 PM
|
#7 |
|
Posts: n/a
|
Re: fake email
"Wary" <> wrote:
> Does this extract from a SpamCop report show the headar is a fake? > > Parsing header: > > Received: from f6.mail.ru ([194.67.57.36]) by mta07-svc.ntlworld.com > (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id ><20040806123006.RYVN15997.mta07-> for <x>; > Fri, 6 Aug 2004 13:30:06 +0100 > 194.67.57.36 found > host 194.67.57.36 = f6.mail.ru (cached) > host f6.mail.ru (checking ip) = 194.67.57.36 Checks with the nslookup I just did - f6.mail.ru is 194.67.57.36. So if the above is the last received-line added to the headers, you are sitting behind mta07-svc.ntlworld.com, and this machine has indeed received that mail from f6.mail.ru, unless there's somebody out there who is terribly good as IP-spoofing. Every Received-Header below this one could possibly be faked, as f6.mail.ru could have added it himself... Juergen Nieveler -- A woman's speed limit is 68, at 69 she blows a rod Juergen Nieveler |
|
|
|
08-10-2004, 03:00 PM
|
#8 |
|
Posts: n/a
|
Re: fake email
"Juergen Nieveler" <> wrote in message
news:. .. > "Wary" <> wrote: > > > Does this extract from a SpamCop report show the headar is a fake? > > > > Parsing header: > > > > Received: from f6.mail.ru ([194.67.57.36]) by mta07-svc.ntlworld.com > > (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id > ><20040806123006.RYVN15997.mta07-> for <x>; > > Fri, 6 Aug 2004 13:30:06 +0100 > > 194.67.57.36 found > > host 194.67.57.36 = f6.mail.ru (cached) > > host f6.mail.ru (checking ip) = 194.67.57.36 > > Checks with the nslookup I just did - f6.mail.ru is 194.67.57.36. So if > the above is the last received-line added to the headers, you are > sitting behind mta07-svc.ntlworld.com, and this machine has indeed > received that mail from f6.mail.ru, unless there's somebody out there > who is terribly good as IP-spoofing. > > Every Received-Header below this one could possibly be faked, as > f6.mail.ru could have added it himself... > what looked suspicious to me was that SpamCop i gnored the second Received line ( from mail by f6.mail.ru with local id 1Bt3qz-000OLg-00 for x; Fri, 06 Aug 2004 16:29:45 +0400) I freely admit this is a subject with which I am unfamiliar. Wary |
|
|
|
08-10-2004, 03:09 PM
|
#9 |
|
Posts: n/a
|
Re: fake email
"Wary" <> wrote:
> what looked suspicious to me was that SpamCop i gnored the second > Received line ( from mail by f6.mail.ru with local id 1Bt3qz-000OLg-00 > for x; Fri, 06 Aug 2004 16:29:45 +0400) > > I freely admit this is a subject with which I am unfamiliar. That's because whatever is behind the Received line created by your server was already in the mail that your server received. The line MIGHT be genuine, but it MIGHT have been written in there by somebody sending this mail directly from f6.mail.ru. The last hop is the only thing you can be sure off, because your own mailserver will know who it is talking to. Apart from that, you can't trust anybody  Juergen Nieveler -- NGUTH LOTXH QHEDM HBRHX KRHLP KYMLG AIHQI WENUA BCQCG ECQRH LOQTH XCOAF Juergen Nieveler |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| I have become rich in 30 days | lemony-snicket | A+ Certification | 2 | 09-07-2009 03:01 PM |
| How to turn $6 to $16000 in few days of web crawling | please@dontreply.net | DVD Video | 0 | 02-02-2007 07:25 AM |
| This is incredible! | jc_ice | DVD Video | 1 | 08-13-2006 10:47 AM |
| Increase Your Wealth From Home | misteek | DVD Video | 1 | 08-13-2006 10:47 AM |
| TURN $5 INTO $15,000 IN ONLY 30 DAYS...HERES HOW! | mosquitonose@hotmail.com | DVD Video | 1 | 01-19-2006 12:58 AM |
