can Received headers be spoofed?

[guanxi]

Hello,

Is it possible to spoof Received headers, without actually hacking the
receiving mail system?


I'm trying to pinpoint the source of a virus that spreads by e-mail.

Many factors point to one computer on one network, but the Received:
header on every msg points to a computer on a different network, a
thousand miles away.


I doubt it's feasible for a virus to forge the Received: header, since
I believe the receiving mail system (pair.com in this case) stamps it
on there.

For reference, below the headers from one e-mail.

Thanks in advance,
Tom




Sample message headers. The Received line I'm referring to is the
earliest one, from Comcast by Pair.

(all e-mail addresses changed to (e-mail address removed))

==========================

Return-Path: <[email protected]>
Delivered-To: intelinc-intelligenceinc:[email protected]
X-Envelope-To: (e-mail address removed)
Received: (qmail 59778 invoked by uid 3186); 11 May 2004 03:20:26
-0000
Delivered-To: intelinc-intelligenceinc:[email protected]
Received: (qmail 59773 invoked from network); 11 May 2004 03:20:24
-0000
Received: from pcp04474417pcs.brmngh01.mi.comcast.net (HELO
oemcomputer.net) (68.40.27.77)
by peulik.pair.com with SMTP; 11 May 2004 03:20:24 -0000
Date: Mon, 10 May 2004 23:20:23 -0500
To: (e-mail address removed)
Subject: Notify from a known person ;-)
From: (e-mail address removed)
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------bwweayaoupdjwphharjj"
X-Spam-Filtered: b259681148507707756f433aa0fa902f
X-Spam-Status: No, hits=-101.5 required=3.5
tests=HTML_IMAGE_ONLY_04,MIME_HTML_ONLY,USER_IN_WHITELIST,NO_REAL_NAME,MIME_MISSING_BOUNDARY,BAYES_00,HTML_MESSAGE
X-Spam-Flag: NO
X-Spam-Level:

 

[David W. Hodgins]

Is it possible to spoof Received headers, without actually hacking the
receiving mail system?

In theory, it's possible, but extremely difficult, and very unlikely. However,
spammers, and email worms can, and do, append fake recieved headers,
to make it more difficult to trace the real source.

Received: (qmail 59778 invoked by uid 3186); 11 May 2004 03:20:26
-0000
Delivered-To: intelinc-intelligenceinc:[email protected]
Received: (qmail 59773 invoked from network); 11 May 2004 03:20:24
-0000

Above lines generated by your isp, or possibly, your computer, if your
running your own mail transfer agent.

Received: from pcp04474417pcs.brmngh01.mi.comcast.net (HELO
oemcomputer.net) (68.40.27.77)
by peulik.pair.com with SMTP; 11 May 2004 03:20:24 -0000

The above header was generated by your isp, when it received the mail. In
this case, the sending computer is 68.40.27.77, which your isp has done
a reverse dns lookup, to obtain the real name, which is the comcast.net
assigned name. The oemcomputer.net, is what the sending computer, claimed
was it's name, in the HELO command, during the smtp transfer to your isp.

In this case, there are no forged recieved headers, just the fake host name,
making it clear, the virus was sent from the comcast ip.

Forward the virus email, with complete headers, but the attachment deleted,
to abuse @ comcast.net (without the spaces around the @).

Regards, Dave Hodgins