>After receiving the information below about a spam complaint I am trying to
>better understand what can be forged in a mail header.
Absolutely anything in the E-mail headers can be forged. You can only
trust what you know can be trusted (what is added by your mail server, or
any others that you trust). Typically, the first Received: header can be
trusted, and any that IMail/Declude add (such as IMail's X-RCPT-TO: or
Declude's X-Declude-Sender: headers).
>More specificly can this information be forged data
> Return-Path: <[EMAIL PROTECTED]> (user name changed) I suspect it
> can.
Unless this appears before the first Received: header (which would indicate
that it was added by your mail client), it can not be trusted, and is
actually meaningless. In this case, it did appear before the first
Received: header, which would indicate that the spammer really did claim to
be [EMAIL PROTECTED] Of course, most spammers use fake return
addresses. So all you are guilty of is being a victim of the spammer.
> Status: U
> Return-Path: <[EMAIL PROTECTED]>
Since these are above the Received: headers, they are almost certainly
legitimate (added by the mail client).
> Received: from pe1.pricengine.com ([208.178.127.18])by
> merlin (EarthLink SMTP Server) with SMTP id
> 16J6NN2fR3NZFlq0Thu, 7 Mar 2002 14:55:57
> -0800 (PST)
This is the only header that you can trust (assuming that the spam
complaint is legitimate). It indicates that the E-mail was sent from
208.178.127.18. That's the only really useful information that you have in
this header.
> Received: from computer2_[216.126.160.21] by
> pe1.pricengine.com
> (8.9.3/1.1.29.3/02Aug01-0245PM)id
> MAA0000095367; Tue, 5 Mar 2002 12:30:26 -0500
> (EST)
This one *may* contain useful information, or may not. That depends on
whether 208.178.127.18 is trustworthy or not -- but since it was sending
out spam, you can't assume that it is (although it sounds like they are an
"innocent" open relay).
> From: <[EMAIL PROTECTED]>
> Received: from by computer2 with ESMTP; Tue, 05 Mar
> 2002 12:36:27 -0600
> Message-ID: <0000509237c0$00000114$00005312@>
> To: <Undisclosed [EMAIL PROTECTED]>
These headers are almost certainly made up. Specifically, the Message-ID:
header is broken (and would cause the E-mail to fail the BADHEADERS test in
Declude JunkMail).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
