RE: Question on E-mail

Bill Royds Thu, 30 May 2002 10:26:15 -0700

You can check the email headers to find the actual routing of the email. For example 
the message you sent has these headers:

tReceived: from ithaca.logos.cy.net (ithaca.logos.cy.net [194.30.128.35])
     by lists.gnac.net (Postfix) with ESMTP id 1839610442
     for <[EMAIL PROTECTED]>; Wed, 22 May 2002 05:17:23 -0700 (PDT)
Message-ID: <009b01c2018a$85e817d0$b905010a@astylianou>
From: "Andreas Stylianou" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Question on E-mail
MIME-Version: 1.0
Content-Type: multipart/mixed; 
    boundary="----=_NextPart_000_0094_01C201A3.50DF6570"
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Precedence: bulk
Date: Wed, 22 May 2002 15:14:06 +0300

As you can see there are a series of Received lines in reverse chronological order 
that show the passage of the message through the Internet from your mail server to he 
firewalls server, then (a week later) going out again to my email forwarder, then to 
me. RFC822 headers have format 

headername: headerdata

with the data indented with white space on lines following first.

The last Received line is one supposedly  created by first host after original sending 
host. 

Received: from astylianou (itd-130.bankofcyprus.com [194.30.142.130])
     by ithaca.logos.cy.net (Switch-2.0.1/Switch-2.0.1) with SMTP id g4MCEgr22817
     for <[EMAIL PROTECTED]>; Wed, 22 May 2002 15:14:42 +0300 (EEST)

It says that a machine with IP address  [194.30.142.130]  that has reverse lookup of 
itd-130.bankofcyprus.com  but that responds to SMTP with name  astylianou (looks like 
your name) connected to a host that calls itself   ithaca.logos.cy.net  using a Mail 
Transfer Agent (MTA) called Switch-2.0.1/Switch-2.0. the transaction had id  
g4MCEgr22817  (useful for checking in logs). It had a recipient address of the 
firewalls list and it was received by cy.net at Wed, 22 May 2002 15:14:42 +0300 (EEST) 
(East European Standard time 3 hours east of UTC).

So it looks like a server for the same ISP as you claim to come from 
(zenon.logos.cy.net) sent the message.

   But of course, a computer smart person who is faking the From: name can also add  
these lines as well.

Looking at your post, you can see that it sat at lists.gnac.net for a week before 
being sent out to the mailing list. This was probably because it needed to be reviewed 
by a moderator since you were not a member of this list when you sent it.

To check on whether the address a message purports to come from is valid, look for an 
MX entry in the DNS for that domain (or the actual hoist if there is no MX).
If the host is the same as the first or second host in the Received chain, you can be 
more assured that it is true. 
But someone else on the same ISP can fake the from address and still have everything 
else valid.

You can also attempt to see if the sending machine knows about the sender address:
Using Sam Spade (http://www.samspade.org), a very useful tool, I find:

05/29/02 21:42:15 SMTP Verify [EMAIL PROTECTED], at mail-gw.logos.cy.net
Contacting 194.30.128.35
220 ithaca.logos.cy.net ESMTP Sendmail Switch-2.0.1/Switch-2.0.1; Thu, 30 May 2002 
04:40:00 +0300 (EEST) HELO example.com
250 ithaca.logos.cy.net Hello CPE00501809be61.cpe.net.cable.rogers.com [24.112.59.50], 
pleased to meet you VRFY [EMAIL PROTECTED]
252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger) EXPN 
[EMAIL PROTECTED]
502 5.7.0 Sorry, we do not allow this operation Doesn't want to talk to us
RSET
250 2.0.0 Reset state MAIL FROM:<[EMAIL PROTECTED]>
250 2.1.0 <[EMAIL PROTECTED]>... Sender ok RCPT TO:<[EMAIL PROTECTED]>
250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok RCPT 
TO:<[EMAIL PROTECTED]>
250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok RSET
250 2.0.0 Reset state QUIT
221 2.0.0 ithaca.logos.cy.net closing connection 

  This gives even more evidence that you didn't fake it.

 -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf 
Of Andreas Stylianou
Sent: Wed May 22 2002 08:14
To: [EMAIL PROTECTED]
Subject: Question on E-mail

Dear all,

I believe that any one can change the From: field in its e-mail program and enter 
somebody else's e-mail address pretending that he/she is that person sending the 
e-mail.

Is there anyway that either the mail is not sent at all or the recipient knows that 
the e-mail received is not actually sent by the person whose name is stated in the 
from field.

Thank you
Andreas 
----------------
This e-mail and any files transmitted with it are confidential and they are intended 
solely for the use of the intended recipient.  The content of this email and any files 
transmitted with it may have been changed or altered without the consent of the 
author.  If you are not the intended recipient, please note that any review, 
dissemination, disclosure, alteration, printing, copying or transmission or 
retransmission of this email and/or any file transmitted with it is prohibited and may 
be unlawful.  Although the Bank of Cyprus Group has taken steps to ensure that this 
e-mail and attachments are free from virus, we advise that the recipient should ensure 
that they are actually virus free.  The Bank of Cyprus Group cannot accept 
responsibility for any loss or damage arising from the use of this email or 
attachments.
----------------

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls

RE: Question on E-mail

Reply via email to