> The reason I'm asking is that I'm trying to ascertain the likelihood
> that the header time stamps on some mail I have received from a sender
> are accurate or possibly fabricated.
The headers should contain at least one "Received: " line. If those
lines aren't forged, they are usually chronological. My mail server
lists them from the most recent to the oldest. Let's say you have a
line like this:
Received: from mailsrv1.domain1.com (mout-56.domain1.com [220.220.22.22])
by mx.yourdomain.org (8.14.1/8.14.1) with ESMTP id l92CrYxR029471
for <[EMAIL PROTECTED]>; Tue, 2 Oct 2007 08:53:34 -0400 (EDT)
Note that even though this is on three lines, it is a single "Received: "
line. Your lines may be missing various parts. Most mail servers don't
add the "for <[EMAIL PROTECTED]>" part, for instance.
The first thing you have to do is look at the headers of the email in
question and identify the line that was added by _your_ ISP. In other
words, the line that has the "by somehost.yourdomain.org" part. If the
incoming e-mail in your ISP goes through several servers before it
reaches the end user (you), there could be several Received lines that
matches the above criteria.
Now, you have to assume that your ISP's (or your own, your school's
your workplace's) mail server is working correct, not hacked, keeps
the time in your timezone, etc. etc. In other words, you have to
trust something and if you can't even trust the mail server at your
end, then there's no point looking any further.
So, given you trust your mail server, the above line with the
"by mx.yourdomain.org ..." is the only line you can be certain of.
What that line tells you is that your (ISP's) mail server received this
message from a host with an IP address 220.220.22.22 and _your_ mail
server identified that host as mout-56.domain1.com. During the SMTP
handshake, that host identified itself as mailsrv1.domain1.com. The
timestamp "Tue, 2 Oct 2007 08:53:34 -0400" was added by _your_ mail
server, so you can trust that. [In the timestamps, -0400 means US EDT;
-0700 means US Pacific Daylight Time; -0000 means GMT which may or may
not be UK time depending on if it is the daylight savings time in UK]
Now, if there is another "Received: " line that has domain1.com like
"by ... domain1.com" and it's timestamp is close enough, you may
want to trust that just to trace the route, but there is no guarantee
that that line is legit.
Why can't you trust other lines? It's because of the way mail servers
route messages. Any mail server can contact any other mail
server and tell the receiving server that I have some mail for
you, and if the receiving side accepts it, can send all the rest as
a data stream. The receiving mail server adds _one_ "Received: " line
as a way to show its work. All the other "Received: " lines are
sent by the other mail server as a part of the message. You cannot
even trust the "From: " or the "Date: " lines.
[ Here's one way to add fake "Received: " lines
telnet mailsrv.yourdomain.org 25, after connection, you can do
helo gibberish.yourdomain.org
mail from: [EMAIL PROTECTED]
rcpt to: [EMAIL PROTECTED]
data
<type in any random "Received: " lines here>
From: any random ID
Date: any random date
To: someID
This e-mail has fake headers blah blah
.
depending on how much sanity-checking your mail server does
you should be able to send yourself e-mail with quite a lot of
fake stuff in the header. ]
Now, if you really must verify if a message was sent for whatever
reason, you can contact the postmaster@<senderdomain.com> (for
the appropriate sender domain) and give him/her a copy of the
headers and ask that s/he checks the mail logs for the SMTP ID
listed in the headers. But, most postmasters won't do that
unless there's a really good reason for that or there's a court
order or something like that. And, most mail servers don't keep
the mail logs forever, so longer you wait, harder it might be to
check the SMTP ID or the Message-ID at the sender's side.
************************************************************************
* ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <==
* ==> the body of an email & send 'em to: [EMAIL PROTECTED] <==
* Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name
* Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST
* Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L
* New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress
* Need more help? Send mail to: [EMAIL PROTECTED]
************************************************************************
* List archive at www.mail-archive.com/[email protected]/
* RSS at www.mail-archive.com/[email protected]/maillist.xml
* Messages bearing the header "X-No-Archive: yes" will not be archived
************************************************************************
