fake email

Discussion in 'Computer Security' started by Frank Slootweg, Aug 9, 2004.

  1. Wary <> wrote:
    > It is possible to fake the header of an email to make it look as if some one
    > else sent it. Is it possible to do this in such a way that any reply is sent
    > to the actual sender rather than the person it appears to be from? Is there
    > any way to detect if this has been done?


    Yes. Yes. Yes.
    Frank Slootweg, Aug 9, 2004
    #1
    1. Advertising

  2. Frank Slootweg

    Wary Guest

    It is possible to fake the header of an email to make it look as if some one
    else sent it. Is it possible to do this in such a way that any reply is sent
    to the actual sender rather than the person it appears to be from? Is there
    any way to detect if this has been done?
    Wary, Aug 9, 2004
    #2
    1. Advertising

  3. Wary <> wrote:
    > "Frank Slootweg" <> wrote in message
    > news:4117331d$0$18088$...
    > > Wary <> wrote:
    > > > It is possible to fake the header of an email to make it look as
    > > > if some one else sent it. Is it possible to do this in such a way
    > > > that any reply is sent to the actual sender rather than the person
    > > > it appears to be from? Is there any way to detect if this has
    > > > been done?

    > >
    > > Yes. Yes. Yes.

    >
    > How do I detect if this has been done?


    By verifying the validity of all headers. In very simple cases, the
    Reply-To: or Return-Path: or other lines like Sender: will give it away.
    In more 'sophisticated' cases, there will be clues in the Received:
    lines.

    Basically, in email, like in News/Usenet, there *is* no 'security'.
    Everything can be forged and often is.

    If you want to learn more, then browse the email groups and their
    FAQs, for example news.admin.net-abuse.email.
    Frank Slootweg, Aug 9, 2004
    #3
  4. "Wary" <> wrote:

    > How do I detect if this has been done?


    Check the header generated by your mailserver on delivery (the line
    saying where he received the mail from) to see if it matches the rest
    of the headers (coming from the same ISP, for example).

    Everything else can be faked, and there's no way to tell if it is.

    Juergen Nieveler
    --
    Mary had a little lamb - she hates beef or ham
    Juergen Nieveler, Aug 9, 2004
    #4
  5. Frank Slootweg

    Wary Guest

    "Frank Slootweg" <> wrote in message
    news:4117331d$0$18088$...
    > Wary <> wrote:
    > > It is possible to fake the header of an email to make it look as if some

    one
    > > else sent it. Is it possible to do this in such a way that any reply is

    sent
    > > to the actual sender rather than the person it appears to be from? Is

    there
    > > any way to detect if this has been done?

    >
    > Yes. Yes. Yes.


    How do I detect if this has been done?
    Wary, Aug 9, 2004
    #5
  6. Frank Slootweg

    Wary Guest

    "Juergen Nieveler" <> wrote in message
    news:...
    > "Wary" <> wrote:
    >
    > > How do I detect if this has been done?

    >
    > Check the header generated by your mailserver on delivery (the line
    > saying where he received the mail from) to see if it matches the rest
    > of the headers (coming from the same ISP, for example).
    >
    > Everything else can be faked, and there's no way to tell if it is.
    >


    Does this extract from a SpamCop report show the headar is a fake?

    Parsing header:

    Received: from f6.mail.ru ([194.67.57.36]) by mta07-svc.ntlworld.com
    (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id
    <> for <x>; Fri, 6
    Aug 2004 13:30:06 +0100
    194.67.57.36 found
    host 194.67.57.36 = f6.mail.ru (cached)
    host f6.mail.ru (checking ip) = 194.67.57.36
    Possible spammer: 194.67.57.36
    Received line accepted
    Relay trusted (194.67.57.36)

    Received: from mail by f6.mail.ru with local id 1Bt3qz-000OLg-00 for x;
    Fri, 06 Aug 2004 16:29:45 +0400

    Ignored

    Received: from [62.254.161.34] by win.mail.ru with HTTP; Fri, 06 Aug 2004
    16:29:45 +0400
    no from
    62.254.161.34 found
    host 62.254.161.34 (getting name) no name
    Possible spammer: 62.254.161.34
    Possible relay: 194.67.57.36
    194.67.57.36 not listed in relays.ordb.org.
    194.67.57.36 has already been sent to relay testers
    Received line accepted
    Wary, Aug 10, 2004
    #6
  7. "Wary" <> wrote:

    > Does this extract from a SpamCop report show the headar is a fake?
    >
    > Parsing header:
    >
    > Received: from f6.mail.ru ([194.67.57.36]) by mta07-svc.ntlworld.com
    > (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id
    ><> for <x>;
    > Fri, 6 Aug 2004 13:30:06 +0100
    > 194.67.57.36 found
    > host 194.67.57.36 = f6.mail.ru (cached)
    > host f6.mail.ru (checking ip) = 194.67.57.36


    Checks with the nslookup I just did - f6.mail.ru is 194.67.57.36. So if
    the above is the last received-line added to the headers, you are
    sitting behind mta07-svc.ntlworld.com, and this machine has indeed
    received that mail from f6.mail.ru, unless there's somebody out there
    who is terribly good as IP-spoofing.

    Every Received-Header below this one could possibly be faked, as
    f6.mail.ru could have added it himself...

    Juergen Nieveler
    --
    A woman's speed limit is 68, at 69 she blows a rod
    Juergen Nieveler, Aug 10, 2004
    #7
  8. Frank Slootweg

    Wary Guest

    "Juergen Nieveler" <> wrote in message
    news:...
    > "Wary" <> wrote:
    >
    > > Does this extract from a SpamCop report show the headar is a fake?
    > >
    > > Parsing header:
    > >
    > > Received: from f6.mail.ru ([194.67.57.36]) by mta07-svc.ntlworld.com
    > > (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id
    > ><> for <x>;
    > > Fri, 6 Aug 2004 13:30:06 +0100
    > > 194.67.57.36 found
    > > host 194.67.57.36 = f6.mail.ru (cached)
    > > host f6.mail.ru (checking ip) = 194.67.57.36

    >
    > Checks with the nslookup I just did - f6.mail.ru is 194.67.57.36. So if
    > the above is the last received-line added to the headers, you are
    > sitting behind mta07-svc.ntlworld.com, and this machine has indeed
    > received that mail from f6.mail.ru, unless there's somebody out there
    > who is terribly good as IP-spoofing.
    >
    > Every Received-Header below this one could possibly be faked, as
    > f6.mail.ru could have added it himself...
    >



    what looked suspicious to me was that SpamCop i gnored the second Received
    line ( from mail by f6.mail.ru with local id 1Bt3qz-000OLg-00 for x;
    Fri, 06 Aug 2004 16:29:45 +0400)

    I freely admit this is a subject with which I am unfamiliar.
    Wary, Aug 10, 2004
    #8
  9. "Wary" <> wrote:

    > what looked suspicious to me was that SpamCop i gnored the second
    > Received line ( from mail by f6.mail.ru with local id 1Bt3qz-000OLg-00
    > for x; Fri, 06 Aug 2004 16:29:45 +0400)
    >
    > I freely admit this is a subject with which I am unfamiliar.


    That's because whatever is behind the Received line created by your
    server was already in the mail that your server received. The line
    MIGHT be genuine, but it MIGHT have been written in there by somebody
    sending this mail directly from f6.mail.ru.

    The last hop is the only thing you can be sure off, because your own
    mailserver will know who it is talking to. Apart from that, you can't
    trust anybody :)

    Juergen Nieveler
    --
    NGUTH LOTXH QHEDM HBRHX KRHLP KYMLG AIHQI WENUA BCQCG ECQRH LOQTH XCOAF
    Juergen Nieveler, Aug 10, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chazz Matt
    Replies:
    3
    Views:
    15,802
    Alvaro G. Vicario
    Jul 10, 2004
  2. horizon

    posting using fake email add on news.cis.dfn.de

    horizon, Nov 17, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    535
  3. Howard

    Fake Microsoft Email Problem

    Howard, Dec 4, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    709
  4. =?iso-8859-1?B?pqamU0hBRDBXpqam?=

    Put a fake email address to avoid spam

    =?iso-8859-1?B?pqamU0hBRDBXpqam?=, Jul 16, 2006, in forum: Computer Information
    Replies:
    5
    Views:
    689
    Alex Clayton
    Aug 15, 2006
  5. Michael Daly

    Fake Westpac email

    Michael Daly, Nov 2, 2003, in forum: NZ Computing
    Replies:
    68
    Views:
    1,468
    Bruce Simpson
    Nov 6, 2003
Loading...

Share This Page