how do they fake email headers info?

[hba2pd]

How can they fake these email header information?

 

[F.H. Muffman]

How can they fake these email header information?

Pretty easily, really. SMTP is just a transfer of text based information.

 

[hba2pd]

So it means that even if I run SPAMCOP to get information about the
originator of an email, this information is not still reliable and a
reasonably knowledgeable person can fake it.

 

[Peter Durkee]

There is information in the headers that you can trust, like the ip address
of the machine that handed off the message to your server, and anything that
happened after that transaction.

-Peter

 

[Spin]

They open up a telnet session and insert stuff there. I imagine people
created some software to do this too.

 

[hba2pd]

But information before that transaction is unreliable. Therefore,
there is absolutely no information about the origination. But then how
does the police do it?

 

[F.H. Muffman]

There is information in the headers that you can trust, like the ip
address of the machine that handed off the message to your server,
and anything that happened after that transaction.

I'm not even sure I'd go so far as to say you can always trust the IP
address. While it is true the client can't tell the server that header and
the server is the one that has to put it in there, there are ways to fake a
source IP address.

And, even further, the originator isn't always the originator. Consider a
hacked machine running a bot. It could be a end user box, it could be a
server, but, that machine might be the one talking to the SMTP server. So,
they are the 'originator' of the message, but, they aren't the reason the
message exists. If that makes any sense.

That said, I'd trust being able to find the SMTP box that *accepted* the
message on the Internet...

 

[F.H. Muffman]

But information before that transaction is unreliable. Therefore,
there is absolutely no information about the origination. But then how
does the police do it?

By looking at more than the headers, such as router transaction logs, server
connection logs, ISP logs...

 

[the guy]

i have a question here, are we ever going to replace SMTP as the default
mail client? Seems its a bit too trusting and needs some rethinking for a
dishonest world.

 

[F.H. Muffman]

i have a question here, are we ever going to replace SMTP as the
default mail client? Seems its a bit too trusting and needs some
rethinking for a dishonest world.

Probably not til well after IPv6 is the standard in the world. But don't
blame the protocol, blame the admins who don't secure their smtp servers
better.

 

[hba2pd]

So am I right in concluding that there is absolutely no information
about the origination. If someone wants to fake it on, say, Outlook,
how can he do this?

 

[F.H. Muffman]

So am I right in concluding that there is absolutely no information
about the origination. If someone wants to fake it on, say, Outlook,
how can he do this?

No, you aren't right. It is just that sometimes, the route to find the
person isn't as short as walking through the headers.

In Outlook? They wouldn't. They'd use a piece of software written
specifically for spammers and the like so that they can send mail to 30
bazillion people without getting caught, all the while somehow making money
out of it.

And, as an aside, asking how someone would do it in Outlook sounds a whole
lot like 'I'd like to spam people using Outlook and not be caught.' Maybe
that's just me.

 

[Milly Staples [MVP - Outlook]]

Very easily - but you won't get the information from one of us. Why make it easier to create another spammer/mail forger? Let them look in google - you can find anything using google.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, hba2pd asked:

| So am I right in concluding that there is absolutely no information
| about the origination. If someone wants to fake it on, say, Outlook,
| how can he do this?
|
| On 3$B7n(B27$BF|(B, $B8aA0(B8:13, "F.H. Muffman"
|| the guy wrote:
||| i have a question here, are we ever going to replace SMTP as the
||| default mail client? Seems its a bit too trusting and needs some
||| rethinking for a dishonest world.
||
|| Probably not til well after IPv6 is the standard in the world. But
|| don't blame the protocol, blame the admins who don't secure their
|| smtp servers better.
||
|| --
|| f.h.

 

[hba2pd]

I understand. I got an email which looks like a spam but seems to
contain some informations relevant only to insiders. I wanted to
determine whether it is an accident or on purpose.

 

[F.H. Muffman]

I understand. I got an email which looks like a spam but seems to
contain some informations relevant only to insiders. I wanted to
determine whether it is an accident or on purpose.

What sort of 'information'? Why don't you start with asking about the issue
at hand, the information in the header, why it might be there and what's
wrong.

 

[hba2pd]

I mean the content of this supposedly spam email contains some
specific names which can be suggestive, etc. I am not sure what you
mean.

 

[F.H. Muffman]

I mean the content of this supposedly spam email contains some
specific names which can be suggestive, etc. I am not sure what you
mean.

Do you have a spam message that you are curious about in particular? If you
do, could you share what part of the header you're concerned about so that
we might be able to help you understand what its for, how it got there
and/or what it means?

 

[hba2pd]

here they are.

Delivered-To: ***@gmail.com
Received: by 10.78.12.19 with SMTP id 19cs1718667hul;
Sun, 25 Mar 2007 17:50:50 -0700 (PDT)
Received: by 10.100.7.18 with SMTP id 18mr4452102ang.1174870249836;
Sun, 25 Mar 2007 17:50:49 -0700 (PDT)
Return-Path: <[email protected]>
Received: from Unknown (24-196-86-114.dhcp.mdsn.wi.charter.com
[24.196.86.114])
by mx.google.com with ESMTP id c37si12687764ana.
2007.03.25.17.50.42;
Sun, 25 Mar 2007 17:50:49 -0700 (PDT)
Received-SPF: fail (google.com: domain of (e-mail address removed) does not
designate 24.196.86.114 as permitted sender)
Message-ID: <025a01c76f40$cce30a90$82e53748@KKHZTU>
From: "Dawkins Ollie" <[email protected]>
To: "June" <[email protected]>
Subject:
Date: Sun, 25 Mar 2007 18:40:17 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0257_01C76F06.20843290"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

 

[Brian Tillman]

here they are. ....snip...
From: "Dawkins Ollie" <[email protected]>
To: "June" <[email protected]>
Subject:

I notice you change the mail address on the Delivered-To header, but not on
this one. Oops.

These three lines are enough to assure you fairly well that the message is
spam, unless your real name is June and you know someone whose name is
Dawkins Ollie.

 

[F.H. Muffman]

Do you have a spam message that you are curious about in particular?
If you do, could you share what part of the header you're concerned
about so that we might be able to help you understand what its for,
how it got there and/or what it means?

here they are.

Delivered-To: ***@gmail.com
Received: by 10.78.12.19 with SMTP id 19cs1718667hul;
Sun, 25 Mar 2007 17:50:50 -0700 (PDT)
Received: by 10.100.7.18 with SMTP id 18mr4452102ang.1174870249836;
Sun, 25 Mar 2007 17:50:49 -0700 (PDT)
Return-Path: <[email protected]>
Received: from Unknown (24-196-86-114.dhcp.mdsn.wi.charter.com
[24.196.86.114])
by mx.google.com with ESMTP id c37si12687764ana.
2007.03.25.17.50.42;
Sun, 25 Mar 2007 17:50:49 -0700 (PDT)
Received-SPF: fail (google.com: domain of (e-mail address removed) does not
designate 24.196.86.114 as permitted sender)
Message-ID: <025a01c76f40$cce30a90$82e53748@KKHZTU>
From: "Dawkins Ollie" <[email protected]>
To: "June" <[email protected]>
Subject:
Date: Sun, 25 Mar 2007 18:40:17 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0257_01C76F06.20843290"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

In addition to what Brian said, is there something in the header that you
want to know about in particular? You've seemed to be curious about how to
fake headers and whatnot, what particular line in the header worries you?