For example:
This is a falsified Email Received line:
Received: from 89.210.237.165 by autotec.com.inbound15.mxlogicmx.net; Fri, 18 Jun 2010 02:01:56 0200
The parens are missing completely.
This is a real one;
Received: from ppp089210237165.dsl.hol.gr (ppp089210237165.dsl.hol.gr [89.210.237.165]) by ahost.somedomain.com (8.13.5/8.13.4) with ESMTP id o5HN38he003988;
Received: from 89.210.237.165 by autotec.com.inbound15.mxlogicmx.net; Fri, 18 Jun 2010 02:01:56 0200
The parens are missing completely.
This is a real one;
Received: from ppp089210237165.dsl.hol.gr (ppp089210237165.dsl.hol.gr [89.210.237.165]) by ahost.somedomain.com (8.13.5/8.13.4) with ESMTP id o5HN38he003988;
Another common thing is for a scammer/spammer to falsify the origin of an email, but the Received line rats them out:
A real, but modified example:
Return-Path:
Received: from mx1.mytiolo.info (mailhost.dwdtechllc.com [74.119.64.217])
by host.domain.com (8.13.5/8.13.4) with SMTP id o5HLswgI022584
for; Thu, 17 Jun 2010 14:55:11 -0700
The spammer claimed to be from mytilol.info but it really came from dwdtechllc.com because it's what's inside the parens of the Received line that is correct.
These falsifications are sometimes legit (not everyone owns their own email server) but are often not.
Hurray for the parentheses.
No comments:
Post a Comment