I received this reply ( I removed my email address from this quoted text). What I cannot understand is the bottom 'received: from is supposed to be the originating source. How can the address 156.42.130.36 be forged? I know the Name can be forged, but how could the address be not accurate, as this response claims:
=============
How would I help you trace an SMTP connection from someone who spoofed
my address. Perhaps you would be better served to contact verizon.net
and suggest that they not accept SMTP connection from an IP address that
cannot be found in DNS. Our firewall will only allow outbound SMTP
connection from legitimate mailers in our domain. This did not come from
156.42.130.36.
-----Original Message-----
From:
Sent: Monday, June 20, 2005 7:44 PM
To: noc@postinicorp.com; jallen@maricopa.gov; SPAM@UCE.GOV
Subject: e-mail abuse complaint
Abuse Desk:
I have received unsolicited email containing an IP address from your
domain.
Please terminate the spamming customer if you are the host ISP.
If your machine is an open relay/proxy server,
<snip>
The UCE (UBE) that I received is shown below with full headers.
Thank you for your cooperation.
email item - msg20.txt - 6/20/05 - 6:44:21 PM
open relay - postini.com, IP = 64.18.1.192
abuse contact - noc@postinicorp.com
spam source - -- No DNS --, IP = 156.42.130.36
abuse contact - jallen@maricopa.gov
From scuttling@owlsoftware.com Mon Jun 20 17:34:41 2005
Return-path: <scuttling@owlsoftware.com>
Received: from mta-2.gci.net (mta-2.gci.net [208.138.130.83]) by
mailstore-4.gci.net (Sun Java System Messaging Server 6.1 HotFix 0.06
(built Nov 11 2004)) with ESMTP id
<0IIE00GJLUYLE8B0@mailstore-4.gci.net> for ; Mon, 20 Jun
2005 17:32:45 -0800 (AKDT)
Received: from psmtp.com (exprod6mx48.postini.com [64.18.1.192]) by
mta-2.gci.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
2003)) with SMTP id <0IIE00HDVUYKX9@mta-2.gci.net> for gci.net
(ORCPT gci.net) ; Mon, 20 Jun 2005 17:32:45 -0800 (AKDT)
Received: from source ([71.240.191.8]) by exprod6mx48.postini.com
([64.18.5.10]) with SMTP; Mon, 20 Jun 2005 21:32:44 -0400 (EDT)
Received: from [156.42.130.36] (port=4469 helo=[penicillin]) by
pool-71-240-191-8.dllstx.fios.verizon.net with esmtp id
12134267353sphere36956 for ; Mon, 20 Jun 2005 20:32:47
-0500
Date: Mon, 20 Jun 2005 20:32:46 -0500
From: Leonard <scuttling@owlsoftware.com>
Subject: Improve your erections in 30 minutes!
Full Version: How can it?
melarry
I'm not an expert at interpreting headers, so someone may be able to contribute better or more accurate information.
My understanding is that you should assume that any Received: lines after the top Received: line may be forged. This may include any IP addresses mentioned in those lines.
Therefore you can send an abuse report to the domain which has IP 208.138.130.83 (savvis.net) and hope that they can work out who sent it to them, but a report to Postini for IP 64.18.1.192, Verizon for IP 71.240.191.8 or Maricopa County for IP 156.42.130.36 MIGHT be going to the wrong people.
Unfortunately most of the web pages that tell you how to read e-mail headers assume that there is no forging, so they will tell you that the source is the IP address in the bottom Received: line. This is true for a legitimate e-mail message but quite possibly not true for a spam message.
Peter
I'm not an expert at interpreting headers, so someone may be able to contribute better or more accurate information.
My understanding is that you should assume that any Received: lines after the top Received: line may be forged. This may include any IP addresses mentioned in those lines.
Therefore you can send an abuse report to the domain which has IP 208.138.130.83 (savvis.net) and hope that they can work out who sent it to them, but a report to Postini for IP 64.18.1.192, Verizon for IP 71.240.191.8 or Maricopa County for IP 156.42.130.36 MIGHT be going to the wrong people.
Unfortunately most of the web pages that tell you how to read e-mail headers assume that there is no forging, so they will tell you that the source is the IP address in the bottom Received: line. This is true for a legitimate e-mail message but quite possibly not true for a spam message.
Peter
Peter is correct, some if not all of the later "Received from" headers can be forged. A tool such as SamSpade will advise that they are possible forgeries. In the instance you posted, I did a little mathematics on the date/times:
[QUOTE] <0IIE00GJLUYLE8B0@mailstore-4.gci.net> for ; Mon, 20 Jun
2005 17:32:45 -0800 (AKDT)
[/QUOTE]
sent: 09:32:45
[QUOTE]
Received: from psmtp.com (exprod6mx48.postini.com [64.18.1.192]) by
mta-2.gci.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
2003)) with SMTP id <0IIE00HDVUYKX9@mta-2.gci.net> for gci.net
(ORCPT gci.net) ; Mon, 20 Jun 2005 17:32:45 -0800 (AKDT)[/QUOTE]
received at the same time: 09:32:45 - possible if postini.com and gci.net have a T1 link directly ;-)
[QUOTE]
Received: from source ([71.240.191.8]) by exprod6mx48.postini.com
([64.18.5.10]) with SMTP; Mon, 20 Jun 2005 21:32:44 -0400 (EDT)
[/QUOTE]17:32:44
Now if I've got this right, and they don't have a time machine, they can't have sent the message after it was received higher up.
Received: from [156.42.130.36] (port=4469 helo=[penicillin]) by
pool-71-240-191-8.dllstx.fios.verizon.net with esmtp id
12134267353sphere36956 for ; Mon, 20 Jun 2005 20:32:47
-0500[/QUOTE]17:32:47 - almost certainly forged as it predates the time from postini.com!
Sorry about formatting, can't get the quotes to work!
[QUOTE] <0IIE00GJLUYLE8B0@mailstore-4.gci.net> for ; Mon, 20 Jun
2005 17:32:45 -0800 (AKDT)
[/QUOTE]
sent: 09:32:45
[QUOTE]
Received: from psmtp.com (exprod6mx48.postini.com [64.18.1.192]) by
mta-2.gci.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
2003)) with SMTP id <0IIE00HDVUYKX9@mta-2.gci.net> for gci.net
(ORCPT gci.net) ; Mon, 20 Jun 2005 17:32:45 -0800 (AKDT)[/QUOTE]
received at the same time: 09:32:45 - possible if postini.com and gci.net have a T1 link directly ;-)
[QUOTE]
Received: from source ([71.240.191.8]) by exprod6mx48.postini.com
([64.18.5.10]) with SMTP; Mon, 20 Jun 2005 21:32:44 -0400 (EDT)
[/QUOTE]17:32:44
Now if I've got this right, and they don't have a time machine, they can't have sent the message after it was received higher up.
Received: from [156.42.130.36] (port=4469 helo=[penicillin]) by
pool-71-240-191-8.dllstx.fios.verizon.net with esmtp id
12134267353sphere36956 for ; Mon, 20 Jun 2005 20:32:47
-0500[/QUOTE]17:32:47 - almost certainly forged as it predates the time from postini.com!
Sorry about formatting, can't get the quotes to work!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.