BLACK LISTS, SMTP ERRORS, SPOOFING

Faked email address?  How can I tell?

What are email message headers?

Most mail readers (email client ie: MS Outlook, Eudora, etc.) do not show the header because it contains information for computer to computer routing. The information that you usually get to see from a normal email header are; Subject, Date, From, Reply, To

If you are using MS Outlook Express and you want to take a look at the FULL message headers: >highlight the message >right click  >properties  >detail. For Eudora users; Select Tools , Options, and Fonts & Display to Show all headers

Every time an e-mail moves through a different mail server, a new Received header line is added to the beginning of the message headers list. It means that as you read the Received headers from top to bottom, you are moving closer to the computer or person that sent you the email.

If the header shows more than one Received, there is the possibility that the sender have added one or more false Received header to fool and redirect the recipient to another location or to prevent them from finding the true sender.

 


 

 

 

 

 

 

 

 

 

from mx3po.yahoo.jp

 <This part refers to the name of the
  computer which should be ignored
  because it can be easily falsified.

(mx3po.yahoo.jp [192.228.128.53])

 <This is the reverse-DNS lookup of the
  sender IP address and cannot be faked

by relay100.yahoo.jp (8.9.3/8.9.3)

 <This is host that added the
  Received line cannot be faked.

Example of a typical email message header

Received: from mx3po.yahoo.jp (mx3po.yahoo.jp [192.228.128.53])
by relay100.yahoo.jp (8.9.3/8.9.3) with ESMTP id VAA18813
for <xyz_header@relay100.yahoo.jp>; Thu, 25 Jul 2002 21:26:31 +0800 (FRT)
Received: from ipop2 (ipop2.net.fr [202.188.0.246])
by mx3po.yahoo.jp (8.11.1/8.11.1) with ESMTP id g6PDRXP08394
for <xyz_header@yahoo.com.jp>; Thu, 25 Jul 2002 21:27:33 +0800 (FRT)
Received: from oemcomputer (klj-97-57.net.fr [203.106.97.57])
by ipop2.net.fr (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002))
with SMTP id <0GZT00A9Z41NXN@ipop2.net.fr>
for xyz_header@yahoo.com.jp; Thu, 25 Jul 2002 21:27:28 +0800 (SGT)
Date: Thu, 25 Jul 2002 21:29:05 +0800
From: Timonthy <soandso@net.fr>
Subject: Re: Software need to purchase
To: sirABC - Software Corporation <xyz_header@yahoo.com.jp>
Message-id: <000a01c233df$40378860$39616acb@oemcomputer>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-type: multipart/alternative;
boundary="Boundary_(ID_zIVLL3KEL5CTHqHD7vKZUQ)"
X-Priority: 3
X-MSMail-priority: Normal
X-UIDL: ec647c00efac25694d4e79d9046a56bc
Status: U

Basically, email consist of:

(1) The envelope   (2) headers   (3) Message body

(1) Envelope
rfc 821 specifies the contents and interpretation of the envelope--used by the MTAs for delivery specified by these two SMTP commands (MAIL From: and RCPT To:)

MAIL From:<mable@sun.tuc.test.org>
RCPT To:<mable@test.org>

(2) headers are used by the user agent and each header field contains a name, followed by a colon, followed by the field value.
Received: by sun.tuc.test.org. (4.1/SMI-4.1)
id AA01301; Tue, 21 May 98 11:37:22 MST
Message-Id: <6210181836.AA00502@sun.tuc.test.org.>
From: mable@sun.tuc.test.org (Mable Merliney)
Reply-To: mable@test.org
X-Phone: +0 202 671 2761
X-Mailer: Mail User’s Shell (9.1.0 12/02/98)
To: mable@test.org
Subject: testing

Headers beginning with an X- are user-defined fields and RFC 822 specifies the format and interpretation of the header fields.

(3) Message body is the content of the message from the sender to the recipient and transferred using the DATA command--the headers are sent first, followed by a blank line, followed by the body. Each line transferred using the DATA command must be less than 1000 bytes.

The user agent takes what the sender specify as a body, adds some headers and passes the result to the MTA
The MTA adds a few headers, adds the envelope and sends the result to another MTA.

BLACK LISTS, SMTP ERRORS, SPOOFING