Thursday, June 17, 2010

The Lowly Parentheses: Its important job in email

The parenthesis servers a surprisingly vital role in determining where email really comes from. In the email "headers" are a series of Received lines. The email server inserts vital information about an email's origin inside the parentheses. It is the one bit of information you can rely on.

For example:
This is a falsified Email Received line:
Received: from by; Fri, 18 Jun 2010 02:01:56 0200

The parens are missing completely.

This is a real one;
Received: from ( []) by (8.13.5/8.13.4) with ESMTP id o5HN38he003988;

Another common thing is for a scammer/spammer to falsify the origin of an email, but the Received line rats them out:

A real, but modified example:

Received: from ( [])
by (8.13.5/8.13.4) with SMTP id o5HLswgI022584
for ; Thu, 17 Jun 2010 14:55:11 -0700

The spammer claimed to be from but it really came from because it's what's inside the parens of the Received line that is correct.

These falsifications are sometimes legit (not everyone owns their own email server) but are often not.

Hurray for the parentheses.

No comments: